วันศุกร์ที่ 9 มกราคม พ.ศ. 2552

What Areas are assessed in the SAS 70 Audits?

By Amy Nutt

There are two different types of SAS70 audits. These are simply labeled as 'Type 1' and 'Type 2.' There is a little bit of a difference between the two based on what it is that needs to be reviewed within a particular company. As for the company that must undergo the audit, any company working in the services industry that handles customer information that, if compromised, could cause harm to the customer, must be audited.

The SAS 70 audit is not a checklist audit, but it is an audit that helps an auditor form an opinion on the performance of the company. It looks at how they are using their internal controls to make sure those controls are not being used in a way that could compromise personal information.

Type I audit

Type 1 of the SAS70 audit takes how a company describes their internal controls and then forms a new description based on that. This is completely based off of the auditors opinion, but the end product is a description of those controls. Basically, you can look at the companys description of their controls and the auditors description. You can see the differences in the descriptions, which can bring about a whole other perspective. However, additional information being offered by the business is something that is option in a Type I Audit.

You will find that the auditor will cover these particular areas:

- Organization of your human resources - Your executive tone - The life cycle of systems development - Incident management - Change management - Network security - Logical security - Physical security - Computer operations - Environmental safety - And business continuity in the case of a disaster.

All of these areas are given an opinion by the independent auditor in a Type 1 Audit.

Type II audit

The Type II Audit is very similar to the Type I Audit. The main difference is that that auditor has to perform tests and write down the results of those tests. In a Type I report, there is no testing required, just an opinion on what is going on with the internal controls of the company. However, the business does not have to include additional information. This something that is optional in both the Type I Audit and the Type II Audit. The main aspect of the audit is the outside opinion being given on the internal operations of the business.

Benefits to the business

Having an SAS70 audit performed is very beneficial to the data center company because it gives the business an opportunity to receive an unbiased opinion from someone on the outside. This helps them see their security, their protection of consumer information, and so much more through the eyes of another. In the meantime, they are able to take this information and improve those areas of their business that the audit said they needed to improve. When customers find out about this, that will make them feel much more secure about the business they are doing business with. This is mainly due to the fact that the business is taking the initiative to make sure the customer is protected.

So if you need to be SAS70 compliant, all you have to do is call up a CPA and arrange for them to come into your business and tell you what they see. Based on what they see, you can make the necessary improvements to ensure that you are keeping customer information where it needs to be kept and that your employees are safe. These are two things that every business must possess in order to be successful.

About the Author:

ไม่มีความคิดเห็น:

Subscribe in a reader!