Security Basics mailing list archives
Re: SAS70
From: John Blackley <jblackley () sysmatrix net>
Date: 17 May 2005 21:02:55 -0000
In-Reply-To: <20050516213837.8981.qmail () mail securityfocus com> Steve, a SAS 70 audit generally begins with you and the auditor agreeing a number of control objectives which you will be measured against. That being so, I suggest you research control objectives (I'll be happy to help offline) and be prepared to negotiate strongly in the pre-audit phase. Some companies and auditors are prepared to go through a 'pre-audit' based on those control objectives - in other words, a mock audit to highlight where your control issues lie before the 'real' audit takes place. I don't know if your company or auditor falls into this category but, if they do, this is obviously a valuable exercise. The audit itself covers a specified period. In other words, when the auditors come in to do a field examination, they will look for evidence that your control objectives were met over a specified period. That means that you should have documented policies, standards and procedures and, for the period in question, there should be documentary evidence that policies, standards and procedures were followed. The SAS 70 audit report will line up pretty well with your control objectives and issue a grade against each (often 'Satisfactory, Unsatisfactory, or Cause For Concern'). For each grade below Satisfactory, the auditor should append an explanation of why the grade was issued and will often offer advice on what must be done to improve it. Please let me know offline if I can be of further help. John A Blackley
Current thread:
- SAS70 Steve Fletcher (May 16)
- Re: SAS70 routerg (May 18)