SAIJE Thoughts

I can’t think of a witty title

Once you’ve determined the need for a SAS70 audit, the next key step is selecting an External Auditing Firm for your SAS70 engagement. The reason why you want this selection so early in the process is that this is not your typical external audit. In this case, the external auditor becomes a member of your team BEFORE the actual audit. They should help in determining the scope of the audit and the set of controls. Many detractors of the SAS70 audit state one of two things:

• A SAS70 audit is no good because the audited company determines their scope and controls so a lot is missed.

• A SAS70 audit is no good because the auditor only reports on what controls are present, there could be a lot that is missed.

By selecting an ethical and experienced SAS70 auditor, both these statements are false. While the company still is the final arbiter of scope and controls, the auditor as part of the team will highlight deficiencies in both places and can even include those items as part of the report. By doing this, your company will develop a stronger scope and set of controls.

Some may ask, “Why do this, it sets the bar higher?” That is a good question. Consider it like getting a degree. Not only does the degree count, but WHERE you get the degree counts as well. A Mail Order degree counts far less (if at all) as a degree from a certified institution. In addition, by having an auditor that is part of the team and has experience in SAS70, not only will you check the block in terms of customer needs, you also may improve your corporate operations.

 OK the short list of items to select an External Auditor:

• Must come from a CPA firm (or at least a CPA, but really you want  a firm)

• Should have several years at least of SAS70 experience.

• Able to provide references for SAS70 engagements.

• In their proposal, they should outline that they will help determine and/or review scope and controls or be part of the initial team before the audit period starts.  This addresses the issue I wrote about above and adds value to your SAS70.

• Should have some information systems and information security professionals on the team (CISA/CISSP/etc). While SAS70 is not a security audit, many of the controls selected relate to security. ISO 27001/2 (old ISO 17799) experience a plus.

• Must have Sarbanes Oxley auditing experience.

• COBIT experience/certification a plus.  (COBIT and ISO experience is good as these are common best practice control sets for IT Governance and Information Security)

Note that the selected auditor does not have to be the same external auditor you may already have on contract to provide services for your firm. In fact, many CPA firms may not qualify for the above items.

Obviously your company should interview more than one firm. In addition, finding the right firms to ask may be difficult. Search the web for firms. The big 4 all do these audits, but they could be cost prohibitive for smaller firms, many regional CPA firms also provide this service.  Ask other companies you do business with if they have contracted with an auditing firm for SAS70 engagements. Finally if you contract for third party services from another company (hosting for example), there is a good chance they have undergone a SAS70 audit and you may be able to find your auditor that way.

If all else fails, ask me, I have dealt with several reputable firms for SAS70 engagements.

With apologies to N.W.A’s Straight Outta Compton

 

The latest issue of Control came out. I have a hard time reading professional journals, although I know it’s in my best interest to do so, so I’m a skimmer. The contents of this specific issue can be found here: TOC. My main issue with most journals is that I prefer the “How to” type article or hard data. Often times you don’t get those. There are a few gems in this months journal that I think are worth reading and understanding. But first I found this rather humourous…

 The Article “Measuring the Readability of Sof tware Requirement Specifications” in the issue talks about how Specs are too hard to read and cover several tools that can help with readability and also provide other means to make them easier to read and understand. Two of the tools that are available in Microsoft Word are F.K. Readability and F.K Grade level. The authors stress that these tools should only be used as part of making specs readable but not the final determination of good quality specs and if used alone, the spec writer will likely still have a poor spec. In other words, they are a good tool to determine general direction and ‘Clues” to poor documentation but serious consideration needs to be made to have a more “holistic” tool avaialable to improve Specifications.  Quickly put, F.K Readability uses a score. The lower the score, the more difficult to read, with 30 or lower equating to college graduate level. F.K. Grade Level is a computation of the Grade Level. Out of curiousity, I cut and paste the article into word (realizing this is a Journal so I expected relatively difficult to read scores). Here is what I came up with.

I’m just saying…..

 OK - for the articles I LIKE….if you click on the link you will need an account with ISACA.org.

Practicing Information Technology Auditing for Fraud This is a good article (with a boring name) . One - lots of tables/pictures for simple guys like me.  Two, it really gives a good and simple methodology for determining Fraud risk and applying controls. Short, sweet and simple.

Is Your Printer Betraying Your Business?  Key items - networked printers have multiple services running on them that may be vulnerable to attack (IBM particularly had many services running), networked printers have admin accounts that would allow someone to redirect a copy of all documents by enabling fax forwarding - these accounts have default passwords that many don’t change. There are more intersting items here - I suggest reading this article.

Lastly Continuous Auditing Comes of Age is a good article looking to the future of Audit management . I found this interesting trying to put this in context of SAS70 audits. Continuous auditing means that data is constantly collected and audits then are incremental over time rather than massive efforts at certain points. This can reduce cost and find problems when they are small instead of later when the impact is cumulative. The article was directed at internal audit, I could see a significant benefit for external audits like SAS70 as well as the information/evidence should be much better and cleaner.

or Sexy as SOX on a Rooster

Not all companies need a SAS70 audit. There are several key reasons one would need a SAS70 audit.

• You are a company that provides outsourced services to public companies. Public companies, as a result of Sarbanes-Oxley, are required to show their service providers have appropriate controls over processes and technology. In this case, you most certainly need a SAS70 audit.
• You are a company that may want to provide outsourced services to public companies. In this case, you are anticipating a need.
• You are a company that wishes to differentiate yourself from other companies providing a similar service. In this case, you are using the SAS70 as part of your business development strategy.
• You are a company that for some reason or another may be audited by many of your customers, public or private. In this case a single SAS70 can eliminate the need for multiple audits, making your audit “life” much easier.
• You are a company that sees a need to improve your internal controls and verify that improvement. This really is more a side benefit to conducting a SAS70 audit.

These are the primary reasons one would need a SAS70 audit. I can’t think of any other good reasons, so if you don’t fall into one or more of the categories above, then you likely shouldn’t put the effort into a SAS70 audit. If you can think of another valid reason, feel free to comment.

In addition, you need to decide the type of SAS70 audit. In reality, the only useful SAS70 audit is a Type II audit. To me, the only reason for a Type I is in preparation for a Type II or as a stop gap measure when you know you may have problems passing a Type II and you want to reduce the scope rather than “fail” a SAS70. The primary difference is a Type I only verifies the controls at a specific point in time, while a Type II verifies that the controls are in place and operational over a significant period of time (min. 6 months).