February 18th, 2008
or Sexy as SOX on a Rooster
Not all companies need a SAS70 audit. There are several key reasons one would need a SAS70 audit.
- You are a company that provides outsourced services to public companies. Public companies, as a result of Sarbanes-Oxley, are required to show their service providers have appropriate controls over processes and technology. In this case, you most certainly need a SAS70 audit.
- You are a company that may want to provide outsourced services to public companies. In this case, you are anticipating a need.
- You are a company that wishes to differentiate yourself from other companies providing a similar service. In this case, you are using the SAS70 as part of your business development strategy.
- You are a company that for some reason or another may be audited by many of your customers, public or private. In this case a single SAS70 can eliminate the need for multiple audits, making your audit “life” much easier.
- You are a company that sees a need to improve your internal controls and verify that improvement. This really is more a side benefit to conducting a SAS70 audit.
These are the primary reasons one would need a SAS70 audit. I can’t think of any other good reasons, so if you don’t fall into one or more of the categories above, then you likely shouldn’t put the effort into a SAS70 audit. If you can think of another valid reason, feel free to comment.
In addition, you need to decide the type of SAS70 audit. In reality, the only useful SAS70 audit is a Type II audit. To me, the only reason for a Type I is in preparation for a Type II or as a stop gap measure when you know you may have problems passing a Type II and you want to reduce the scope rather than “fail” a SAS70. The primary difference is a Type I only verifies the controls at a specific point in time, while a Type II verifies that the controls are in place and operational over a significant period of time (min. 6 months).
Posted in IT Governance, SAS70 | No Comments »
January 31st, 2008
Or Viral Marketing vs Joe Sixpack
Guy Kawasaki wrote in his blog recently (blog.guykawasaki.com) a post titled “
Forget the A List After All” which actually references another blog post called ” Is the Tipping Point Toast” from Fast Company Magazine. Essentially they refute “The Tipping Point” through some research that says “Influencers” actually have very little impact on a trend and mass marketing is the most effective means to market an item, depending on whether society is ready for a trend. I think the answer really is somewhere in the middle. Like many quoted in the article, I find it hard to believe that someone others wish to emulate and have a lot of connections (either personally or through the media) would have the same impact as joe blow in suburbia. If that were the case, I don’t think there would be the success of the whole paparazzi / people magazine culture where everyone wants to see what these stars are wearing.
If we take the old model with influencers and just assume they have more connections (we aren’t even talking influence here, but the number of connections) and do your typical 2 friends tell 2 friends progression, with the exception of the influencer (I put 100 but I think in the case of many, the influencers would reach many more people), you get the following table (courtesy of
Open Office). Of course in this case, this is just getting the word out (in other words, before the trend hits)
| Time Period |
Number without Influencer |
Number with Influencer |
% Increase |
| 1 |
2 |
2 |
0 |
| 2 |
4 |
4 |
0 |
| 3 |
8 |
8 |
0 |
| 4 |
16 |
800 |
5000 |
| 5 |
32 |
1600 |
5000 |
| 6 |
64 |
3200 |
5000 |
| 7 |
128 |
6400 |
5000 |
| 8 |
256 |
12800 |
5000 |
| 9 |
512 |
25600 |
5000 |
| 10 |
1024 |
51200 |
5000 |
| 11 |
2048 |
102400 |
5000 |
Side Notes: I found the article interesting regarding Malcom Gladwell’s response. He respects the work even if it is in opposition to his work, stating that the answer is likely somewhere in between and he likened it to his disagreements with Mr Levitt (Freakanomics) on the reduction in Crime (Broken Windows theory vs increased abortions). It was interesting as in a short comment I had put in a book review on Goodreads.com, I noted that Gladwell Blurbed Levitt’s book, but the book disagreed with Gladwell’s use of the Broken Windows theory). Originally I was disappointed in both books (The Tipping Point and Freakanomics) as they seem to have answers that are too neat. In here Gladwell almost recognizes that., which tends to make me like him more. I guess for books to sell (or magazines in the case of Fast Company), they need to be conclusive, even if the real answers are not so pat.
Of course I found this post through an influential blogger and technologist (I saw him speak a while back on “The Art of the Start”) so that is a little ironic.
Posted in General, Technology | No Comments »
January 30th, 2008
or Put One Foot In Front of the Auditor
This is the first, short post on the steps to successfully “passing” a SAS70 Type II audit. Hopefully this roadmap will help organizations looking to incorporate the SAS70 into their operations. This will not cover what a SAS70 audit is. For more general information, visit
www.SAS70.org or do your Google/Wiki searches. Future blog posts will cover each of the main headings below:
- Determing the Need for a SAS70 Audit
- Selecting an External Auditor
- Determining the Scope of the SAS70 Audit
- Reviewing Existing Controls or Developing New Controls
- Testing the Control Set
- Selecting a Start Date
- Monitoring During an Audit Period
- Managing the Audit
- Reviewing the Findings
- Improving the Control Set
This list is not how everyone would do it or the order they may perform it, but I feel overall this is the best method. If you feel different or think I may have missed something, comment. I’ll either respond in comments or incorporate the comments in future blog posts.
Posted in SAS70 | No Comments »
Not all companies need a SAS70 audit. There are several key reasons one would need a SAS70 audit.