RE: SAS70

["Rosado, Rafael (Rafael)" <rarosado () lucent com>]

All,

I agree with Sonja that ISO17799/BS7799 is a good source for establishing a
baseline of controls to prepare for a SAS-70 Audit.  However, ISO17799 has a
heavy focus on security-related controls and the Statement of Auditing
Standards (SAS) No. 70 (Service Organizations) "provides guidance to an
auditor performing (1) an audit of a user organization's financial
statements, and (2) procedures at a service organization that will enable
the auditor to issue a service auditor's report on a service organizations'
controls that may be part of user organizations' information systems"
(SOURCE: AICPA's Audit Guide - Service Organizations: Applying SAS No. 70,
As Amended with Conforming Changes as of May 1, 2004).

That said, in addition to ISO17799, other frameworks to consider in
preparation of a SAS70 Audit are COSO (The Committee of Sponsoring
Organizations of the Treadway Commission - http://www.coso.org), ISACA's
(Information Systems Audit and Control Association) Control Objectives for
Information Technology/COBIT (http://www.isaca.org) and IIA's (Institute of
Internal Auditor) System Assurance and Control/SAC and Global Technology
Audit Guides (http://www.theiia.org/).

I've been involved in reviewing SAS70 Reports as an internal auditor, I have
performed SAS70 audits as an external auditor, and I am currently involved
as a consultant in assisting clients to prepare for SAS70 audits
(particularly for Telecommunications Service Providers).

Perspectives on what should be covered as part of the scope of a SAS70 audit
is negotiated between the service organization (an organization providing a
particular service to customers), the service auditor (a Certified Public
Accounting organization that will perform the audit and issue the SAS70
Audit Report) and the user auditor and/or organization (the customer of the
service organization requesting the SAS70 Audit to be performed).  A SAS70
Audit can be pursued by a service organization to satisfy one or more user
organization's request(s) for a SAS70 Report, or as a marketing tool to
provide assurance to prospective customers that the service organization's
structure of internal controls is sound.

The authoritative source of what should be contained in a SAS70 Report is
the AICPA's Audit Guide - Service Organizations: Applying SAS No. 70 which
can only be purchased from the AICPA's publications website -
https://www.cpa2biz.com/CS2000/Products/CPA2BIZ/Service+Organizations:+Apply
ing+SAS+No.+70%2C+as+Amended:+AICPA+Audit+Guide.htm.  However, there are no
guidelines on what should included in the scope of a SAS70 Audit because
each SAS70 Audit will be unique (based on the service for which the SAS70
audit is being performed).  What would be mostly common across SAS70 Audits
are the IT Controls that support the service, the business process controls
will be unique to the service being audited.  

Enjoy SAS70!

Rafael Rosado, CISSP, CISA
Security Consultant
Lucent Worldwide Services
Business Consulting
Reliability and Security Services
Voice: 954-885-2176 
Email: rarosado () lucent com 
http://www.lucent.com/security/
http://www.lucent.com/solutions/sec_sol_sp.html

This e-mail message and any attachment(s) to it are intended only for the
use of the addressee(s).  The information in this e-mail message is
confidential and proprietary and may be subject to legal privilege.  The
reading or dissemination of this email by anyone other than the intended
recipient is strictly prohibited.  If you believe you have received this
e-mail in error, please notify the sender immediately and permanently delete
this e-mail, any attachments and all copies thereof from any drives or
storage media and destroy any printouts. 
-----Original Message-----
From: Robinson, Sonja [mailto:SRobinson () HIPUSA com] 
Sent: Wednesday, May 18, 2005 1:14 PM
To: Steve Fletcher; Security-Basics
Subject: RE: SAS70

I would evaluate your organization based on ISO 17799/BS7799.  Those are the
general practices that are audited against and that most auditors use as
criteria.  You can also try looking at isaca.org website.  They
might have something.   Also ref SAS No. 94


The worst that you do I "over" audit your organization.  Better that then
under.  You may be suprised at what you find under general IT controls.

Sonja L. Robinson, CISSP, CIFI, CISA, CISM Forensic Specialist, Digital
Investigations HIP Information Security Group
Tel: 212-806-4125
srobinson () hipusa com
 

-----Original Message-----
From: Steve Fletcher [mailto:safletcher () insightbb com]
Sent: Monday, May 16, 2005 6:05 PM
To: 'Security-Basics'
Subject: SAS70

I am not sure if this is the correct list for this or not, but I thought I
would try this list first.  

Recently, I have been tasked with assisting a company with preparing their
network for a SAS70 audit.  Unfortunately, I am not very familiar with the
requirements for SAS70.  I have done some searching, but have found very
limited information on what this audit covers.  I know that it is primarily
a financial audit including information systems, but other than that, I have
not been able to find any useful information.

I am sure that the network currently has security issues, but I am concerned
with whether the issues I see are critical to fix prior to the SAS70 audit.
Any information on what this covers would be greatly appreciated.

Thanks,

Steve Fletcher
MCSE (NT4/Win2k), MCSE: Security (Win2k), HP Master ASE, CCNA, Security+
safletcher () insightbb com