Re: SAS70

[John Blackley <jblackley () sysmatrix net>]

In-Reply-To: <20050516213837.8981.qmail () mail securityfocus com>

Steve,

a SAS 70 audit generally begins with you and the auditor agreeing a number of control objectives which you will be 
measured against. That being so, I suggest you research control objectives (I'll be happy to help offline) and be 
prepared to negotiate strongly in the pre-audit phase.

Some companies and auditors are prepared to go through a 'pre-audit' based on those control objectives - in other 
words, a mock audit to highlight where your control issues lie before the 'real' audit takes place. I don't know if 
your company or auditor falls into this category but, if they do, this is obviously a valuable exercise.

The audit itself covers a specified period. In other words, when the auditors come in to do a field examination, they 
will look for evidence that your control objectives were met over a specified period. That means that you should have 
documented policies, standards and procedures and, for the period in question, there should be documentary evidence 
that policies, standards and procedures were followed.

The SAS 70 audit report will line up pretty well with your control objectives and issue a grade against each (often 
'Satisfactory, Unsatisfactory, or Cause For Concern'). For each grade below Satisfactory, the auditor should append an 
explanation of why the grade was issued and will often offer advice on what must be done to improve it.

Please let me know offline if I can be of further help.

John A Blackley