compliances , security

SAS70 Overview

February 5, 2012

What is Risk Management?

The process of analyzing information technology, financial, and operational risks and implementing solutions to reduce or eliminate exposures in a cost effective manner.

Information technology is broadly defined to include all forms of technology used to create, store, exchange, and use information in its various forms.

Financial risk could result in loss or corruption of financial information Operational risk could result in disturbance or discontinuance of business operations. 

Using an Application Service Provider (ASP)

Risk management must be approached at an organizational level Dependencies on 3rd party ASPs should be considered.

Organizations should exercise extreme caution about company health, responsiveness, security, and reliability when selecting an ASP Financial audits will result in an audit gap if an organization is partially dependent on a 3rd party ASP, and an IT Audit will need to be performed to provide assurance over the ASP’s operating environment.

SAS 70 Overview

Statement on Auditing Standards (SAS) no. 70

Developed by the American Institute of Certified Public Accountants (AICPA) in 1993

Provides a method for service organizations to objectively assess their internal controls environment, for a given period of time and to disclose their control activities and processes to their customers and customers’ auditors in a uniform reporting format.

Performed by an external auditor on an annual basis with opinion being presented in a Service Auditor’s Report. SAS 70 will include:

  • Service Auditor’s Reports
  • Description of Controls and Operations
  • Control Objectives, Control Activities, and Service Auditor’s Tests of Operating Effectiveness
  • Optional Information 

Service Auditor’s Report

Two different types of SAS 70 Service Auditor’s Reports:

  • Type I: Includes the service organization’s description of controls at a specific point in time.
  • Type II: Includes the service organization’s description of controls and tests of operating effectiveness for a given period of time (minimum of 6 months).

www.bestitdocuments.com