What is a SAS70?
Posted on April 7th, 2010
If you’ve come here because you heard about something called a SAS70 that your business needs, you’ve found the right spot to get some great background information so you go into the process with as much knowledge as possible.
The process can be overwhelming because of the pressure to obtain a clean report. You don’t to show a requesting company a report with exceptions, you must prove you are a reputable company. They want to know their information is secure with you and performed with a focus on quality processes.
There are two types of SAS70 Reports, the Type I and Type II.
A Type I report is a test of the design effectiveness of your business’s controls. Is your business operating well enough for a company to believe there is a base level of controls in place at your business? However, most companies will not accept a Type I report if they are requiring a SAS70 from you (the service organization), but it will prove to a company (the user organization) that you are actively working towards performing a Type II.
A Type II report is a test of the operating effectiveness of your business’s controls. Is your business actively performing all of its controls without exception? Here, full blown testing is performed, pulling populations and samples, finding old documentation, and making sure everything is done exactly how the control say is it is performed. The way your controls are designed should accurately reflect the environment and processes at your business.
There are a few steps before you can even think about testing controls and getting your report.
- SAS70 Preparation – Performing Walkthroughs, Defining Controls, Reviewing Supporting Information
- Readiness Assessment – Think of this like a test run at the SAS70, you will do a full run through of the process. Be ready to pull populations and samples, it should reflect what you would experience when performing a SAS 70 Type II.
- Remediation – This is where you work internally and/or in conjunction with the company who performed the readiness assessment to adjust your controls and processes to the point where they are operating well enough to pass a Type II.
Once your company is comfortable with the results they have seen after the steps above is when you move forwards and start the clock on the reporting period. At this point there is no turning back!
If you have any questions or comments, feel free to leave them below.
Tags: SAS 70 Help, What Is SAS 70
Filed under General, SAS70, Uncategorized | 14 Comments »
