Has your organization decided that a SAS 70 is in your future? Or, has a customer made it known that they will require you to complete one? Either way, it sounds like you need one. And the first step is to do proper planning and documentation of policies and procedures so that you can assure success in completing your SAS 70 Type I or Type II audit.
What should I suspect from a SAS 70 Readiness Assessment?
Simply put a comprehensive review of your organizations internal policies, procedures, and information systems. How this is executed and what your organizations receive in the form of deliverables is the critical differentiator in preparing your organization for success. So what are these? I have found it extremely useful to provide organizations with high level questionnaires detailing the core requirements for SAS 70 audits, allowing organizations prepare and plan ahead of time. If you understand what you are about to venture into, when it comes time to execute you are that much more prepared. Make sure that your Readiness Assessment provider includes a detailed description of controls that your organization currently has in place in addition to the observations / gap analysis reported. It is important for management to evaluate all of the controls that they are being evaluated on, in addition to the observations / gaps identified by your auditor.
The SAS 70 Readiness Assessment audit is only the beginning for some organizations. If your audit results in a number of significant observations / gaps, management needs to carefully evaluate their SAS 70 Readiness Assessment report, create action plans, assign tasks to responsible personnel, and follow up to make sure action plans and tasks were completed as intended. It sounds like a lot of work, but it is very dependent on each organization and their internal control environment. At the end of a successful audit you should have more defined policies and procedures that should ultimately improve your organizations efficiencies and security.
For more information on SOC reporting, please post a comment below or contact our Risk Advisory Services Group at 440-449-6800.
Looking for additional ways to grow your business? Visit us at www.skodaminotti.com. Or, subscribe to the Skoda Minotti Blog, follow us on LinkedIn, Twitter @skodaminotti, and Facebook or simply contact us at any one of our four office locations: Cleveland, Akron, Westlake or Tampa.