Security Basics mailing list archives
RE: SAS70
From: "Rosado, Rafael (Rafael)" <rarosado () lucent com>
Date: Wed, 18 May 2005 20:12:50 -0600
All, I agree with Sonja that ISO17799/BS7799 is a good source for establishing a baseline of controls to prepare for a SAS-70 Audit. However, ISO17799 has a heavy focus on security-related controls and the Statement of Auditing Standards (SAS) No. 70 (Service Organizations) "provides guidance to an auditor performing (1) an audit of a user organization's financial statements, and (2) procedures at a service organization that will enable the auditor to issue a service auditor's report on a service organizations' controls that may be part of user organizations' information systems" (SOURCE: AICPA's Audit Guide - Service Organizations: Applying SAS No. 70, As Amended with Conforming Changes as of May 1, 2004). That said, in addition to ISO17799, other frameworks to consider in preparation of a SAS70 Audit are COSO (The Committee of Sponsoring Organizations of the Treadway Commission - http://www.coso.org), ISACA's (Information Systems Audit and Control Association) Control Objectives for Information Technology/COBIT (http://www.isaca.org) and IIA's (Institute of Internal Auditor) System Assurance and Control/SAC and Global Technology Audit Guides (http://www.theiia.org/). I've been involved in reviewing SAS70 Reports as an internal auditor, I have performed SAS70 audits as an external auditor, and I am currently involved as a consultant in assisting clients to prepare for SAS70 audits (particularly for Telecommunications Service Providers). Perspectives on what should be covered as part of the scope of a SAS70 audit is negotiated between the service organization (an organization providing a particular service to customers), the service auditor (a Certified Public Accounting organization that will perform the audit and issue the SAS70 Audit Report) and the user auditor and/or organization (the customer of the service organization requesting the SAS70 Audit to be performed). A SAS70 Audit can be pursued by a service organization to satisfy one or more user organization's request(s) for a SAS70 Report, or as a marketing tool to provide assurance to prospective customers that the service organization's structure of internal controls is sound. The authoritative source of what should be contained in a SAS70 Report is the AICPA's Audit Guide - Service Organizations: Applying SAS No. 70 which can only be purchased from the AICPA's publications website - https://www.cpa2biz.com/CS2000/Products/CPA2BIZ/Service+Organizations:+Apply ing+SAS+No.+70%2C+as+Amended:+AICPA+Audit+Guide.htm. However, there are no guidelines on what should included in the scope of a SAS70 Audit because each SAS70 Audit will be unique (based on the service for which the SAS70 audit is being performed). What would be mostly common across SAS70 Audits are the IT Controls that support the service, the business process controls will be unique to the service being audited. Enjoy SAS70! Rafael Rosado, CISSP, CISA Security Consultant Lucent Worldwide Services Business Consulting Reliability and Security Services Voice: 954-885-2176 Email: rarosado () lucent com http://www.lucent.com/security/ http://www.lucent.com/solutions/sec_sol_sp.html This e-mail message and any attachment(s) to it are intended only for the use of the addressee(s). The information in this e-mail message is confidential and proprietary and may be subject to legal privilege. The reading or dissemination of this email by anyone other than the intended recipient is strictly prohibited. If you believe you have received this e-mail in error, please notify the sender immediately and permanently delete this e-mail, any attachments and all copies thereof from any drives or storage media and destroy any printouts. -----Original Message----- From: Robinson, Sonja [mailto:SRobinson () HIPUSA com] Sent: Wednesday, May 18, 2005 1:14 PM To: Steve Fletcher; Security-Basics Subject: RE: SAS70 I would evaluate your organization based on ISO 17799/BS7799. Those are the general practices that are audited against and that most auditors use as criteria. You can also try looking at isaca.org website. They might have something. Also ref SAS No. 94 The worst that you do I "over" audit your organization. Better that then under. You may be suprised at what you find under general IT controls. Sonja L. Robinson, CISSP, CIFI, CISA, CISM Forensic Specialist, Digital Investigations HIP Information Security Group Tel: 212-806-4125 srobinson () hipusa com -----Original Message----- From: Steve Fletcher [mailto:safletcher () insightbb com] Sent: Monday, May 16, 2005 6:05 PM To: 'Security-Basics' Subject: SAS70 I am not sure if this is the correct list for this or not, but I thought I would try this list first. Recently, I have been tasked with assisting a company with preparing their network for a SAS70 audit. Unfortunately, I am not very familiar with the requirements for SAS70. I have done some searching, but have found very limited information on what this audit covers. I know that it is primarily a financial audit including information systems, but other than that, I have not been able to find any useful information. I am sure that the network currently has security issues, but I am concerned with whether the issues I see are critical to fix prior to the SAS70 audit. Any information on what this covers would be greatly appreciated. Thanks, Steve Fletcher MCSE (NT4/Win2k), MCSE: Security (Win2k), HP Master ASE, CCNA, Security+ safletcher () insightbb com
Current thread:
- SAS70 Steve Fletcher (May 16)
- Re: SAS70 routerg (May 18)