What about the companies whose data is in question, do they need to worry?
No, and the reason they are asking for the SAS 70 audit of their service providers is that they want to prove that data is secure. The SAS 70 audit proves that data is under control and everything is good. It gives them a level of assurance. Going back to the original example, the payroll company having a SAS 70 audit tells you that the dollars and social security numbers you have trusted them with are safe, that everything is under control.
Are there different types of SAS 70 audits?
There are two different types. Type I is simply a report on controls placed in operation. All it really says is the service company says controls are in place, and the auditor has looked and agrees with them that controls are in place, but no testing has been done.
A perfect example is if someone says they have a lock on their server room door. For a SAS 70 Type I audit, the auditor would go over, take a look and say, ‘Yep, there’s a lock on that door.’ The auditor doesn’t try to open the door or come back unescorted to see if the door is open. The auditor just makes sure that there is a lock on the door.
How does that differ from a Type II?
Type I is as of today. A Type II audit is done over a period of time. The auditor will come in and test to see if things are in place and have been in place during that period of time. So, the auditor would try to open the door and would go back unescorted to see if that door was open.
Or, to look at another example, say you have visitor logs. The auditor will go through them and see if the people signing in or out have appropriate badge ID numbers. If you have visitor badge numbers one through five and somebody signs in with badge three at 9 a.m., then somebody else signs in with badge three at 9:15 a.m., there’s a problem.
How would a company determine which kind of audit it should have?
A Type I audit is enough to be SAS 70 compliant. Many customers often request a Type II audit from their service provider, though, to show greater evidence that controls are in place. A Type I is done when a company wants a SAS 70 audit because their customers are asking for one. Once the proper policies and procedures are put in place, a Type I audit is conducted.
Six months later, they have built up a history of following those policies and procedures. Then you do a Type II.
How often should a SAS 70 audit be done?
Minimally, they should be done once per year. It’s more common to have them done once every six months.
Are there any predefined controls that are required to be in a SAS 70?
No, as each SAS 70 is different. First, the auditor identifies the controls in place, and then identifies the tests that need to be done to prove those controls. A payroll company will be concerned about dollars and employees and all the data they have while a company that houses servers will be worried about people tampering with the servers or coming in off-hours — completely different things.
Robert B. Brenis, CGEIT, CISA, MCP, PMP, is a principal with Skoda Minotti Technology Services. Reach him at (440) 449-6800 or rbrenis@skodaminotti.com.
