SAIJE Thoughts

I can’t think of a witty title

Once you’ve determined the need for a SAS70 audit, the next key step is selecting an External Auditing Firm for your SAS70 engagement. The reason why you want this selection so early in the process is that this is not your typical external audit. In this case, the external auditor becomes a member of your team BEFORE the actual audit. They should help in determining the scope of the audit and the set of controls. Many detractors of the SAS70 audit state one of two things:

• A SAS70 audit is no good because the audited company determines their scope and controls so a lot is missed.

• A SAS70 audit is no good because the auditor only reports on what controls are present, there could be a lot that is missed.

By selecting an ethical and experienced SAS70 auditor, both these statements are false. While the company still is the final arbiter of scope and controls, the auditor as part of the team will highlight deficiencies in both places and can even include those items as part of the report. By doing this, your company will develop a stronger scope and set of controls.

Some may ask, “Why do this, it sets the bar higher?” That is a good question. Consider it like getting a degree. Not only does the degree count, but WHERE you get the degree counts as well. A Mail Order degree counts far less (if at all) as a degree from a certified institution. In addition, by having an auditor that is part of the team and has experience in SAS70, not only will you check the block in terms of customer needs, you also may improve your corporate operations.

 OK the short list of items to select an External Auditor:

• Must come from a CPA firm (or at least a CPA, but really you want  a firm)

• Should have several years at least of SAS70 experience.

• Able to provide references for SAS70 engagements.

• In their proposal, they should outline that they will help determine and/or review scope and controls or be part of the initial team before the audit period starts.  This addresses the issue I wrote about above and adds value to your SAS70.

• Should have some information systems and information security professionals on the team (CISA/CISSP/etc). While SAS70 is not a security audit, many of the controls selected relate to security. ISO 27001/2 (old ISO 17799) experience a plus.

• Must have Sarbanes Oxley auditing experience.

• COBIT experience/certification a plus.  (COBIT and ISO experience is good as these are common best practice control sets for IT Governance and Information Security)

Note that the selected auditor does not have to be the same external auditor you may already have on contract to provide services for your firm. In fact, many CPA firms may not qualify for the above items.

Obviously your company should interview more than one firm. In addition, finding the right firms to ask may be difficult. Search the web for firms. The big 4 all do these audits, but they could be cost prohibitive for smaller firms, many regional CPA firms also provide this service.  Ask other companies you do business with if they have contracted with an auditing firm for SAS70 engagements. Finally if you contract for third party services from another company (hosting for example), there is a good chance they have undergone a SAS70 audit and you may be able to find your auditor that way.

If all else fails, ask me, I have dealt with several reputable firms for SAS70 engagements.

Or A SAS70 Apologist

In preparing for SAS70 Audits and assisting other companies for their audits, I came across a document that summarizes well the criticisms of the SAS70. Below, I answer from a non-auditor perspective the misconceptions in each argument.

1. No Objective Standard.  The complaint is that the audited company gets to create their own controls and are only graded on those controls. For example: if the company does not put in a control on having passwords, then they will not get graded on that. Unfortunately, that may be the case if one has hired a poor auditor to validate controls, but in the SAS70s I have been through, there are checks and balances. Specifically, at the beginning of the audit period, the auditor reviews the controls themselves to make sure they are sufficient. While indeed there is not a single objective standard, that is acceptable. The controls for a financial institution should be different than the controls of a software development company, for instance.
2. The SAS 70 Audit Process is Designed to Drive Billable Hours.  There are several complaints rolled into one here. The primary complaint is that audits are expensive because auditors are there the whole time because the controls have to be tested over time. This is not the case. Controls can be tested over time by a thorough review of the evidence near the end of the testing period. One may want an auditor in several times so there are no end-of-the-period surprises, but there is no need to be auditing the during the whole period.  The cost for SAS70 was listed as $100,000 to $300,000 or even greater. This may be the case for some audits, but for smaller companies, I’ve seen audits that are a tenth of that estimate.

   

3. Other Audits Can Serve Better Than SAS70.  The idea here is that you can work with a company that has asked for a SAS70 and provide them other audits or information that will serve just as well. This may work OK when one only has a few customers, but in the light of Sarbanes-Oxley and companies that provide services to hundreds or thousands of customers, the SAS70 is the most viable option. Instead of having to negotiate on an annual basis to ensure each companies’ audit needs are met (imagine having to do this 1000 times a year for example!) , one can complete a SINGLE SAS70 and meet the needs of all your customers on an annual basis. If a customer has a specific need, add that as a control for the SAS70 and solve the need for any future requests as well.
4. ISO17799, NIST SP-800-53, COBIT, etc. provide better controls.  Of course they can, provided they fit your company’s operations and business. However, again, these do not fulfill the need a SAS70 does. The Best Option is to take one or more of those frameworks and use those as the basis for your controls in the SAS70. In that way you get the best of both worlds. I know of one company that used the entire 17799 control set as the basis for their SAS70 control set.

Conclusion:  As with any tool, SAS70 can be misused, intentionally or through a lack of understanding of the purpose and benefit of the standard.  Most of the complaints above derive from a lack of understanding of the SAS70 and how to truly execute a successful SAS70 audit that benefits both the audited company and the companies that use it’s services.