SAS 70 Certification

  • All

    Has anyone gone thru a SAS 70 audit and certification.

    I am assuming that it is very similar to a SOX audit, but the devil is in the details.

    Thanks in advance

    Eric

  • This was removed by the editor as SPAM

  • cant say i have gone through a sas 70 attestation, however, i have reviewed them.

    sounds like you are a 3rd party service provider, so you probably house some company's financial application(s) or are a datacenter or something along those lines.

    a sas 70 is basically an audit, but not as tough (best way i could put it). auditors will come in, evaluate your controls around security, software development, etc. and then make a decision on how well your evironment is controlled. this info is then relayed onto whoever you provide data services for.

    here is a scenario of how a normal audit and sas 70 attestation could go:

    normal audit - the company does not review users with access to their in-scope applications/systems, deficiency noted, that deficiency then needs to be remediated

    sas 70 - no review of users with access to in-scope apps, that is noted on the report, but, its up to the company if they want to remediate it. its my guess the company you provide service for will want you to remediate it , so they can put greater reliance on your report.

    hope that helps, let me know if you have any other questions.

  • Gone through both as well as a couple of Systrust categories. SAS70, in general, was not as strict as SOX. Ours did a review of access, as indicated by kc, but remediation was left up to our organization. This is unlike SOX where the review was done and specific remediation steps were proposed.

    K. Brian Kelley
    @kbriankelley

Viewing 4 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply