SAS 70 - Security Audit, Penetration Testing, Integrated Management System, BCP, BCM, BS 25999, ISO 20000, ITIL, PAS 99, NepenthesFE - Honeypot project,Computer Forensics and Incident Response in India, Security Implementation, Firewall's, IDS, IPS, UTM, VPN, Network Security Assessment Software, Firewall Rule base Analysis tool, ISO 27001 Toolkit, Security E-learning programs, GFi Languard, CEH, CHFI Training India, Bahrain, Kuwait, Dubai, Riyadh, Singapore, Malaysia, Hong Kong, USA, Europe, North America.

Quick Links

ISO 27001 Compliance

Penetration Testing

Security Audits

Computer Forensics and Incident Response

Application Security Audits

Our Service Collateral

PA DSS - Payment Application Data Security Standard

SAS 70 Consultancy and Readiness Assessment
Historically, outsourcing has always been about cutting costs and focusing on core competencies. However, in the current business scenario, outsourcing is a strategic decision that can be the deciding factor between gaining a competitive edge versus losing focus. The objectives of outsourcing are being able to access best-of-breed services, at lower costs, while still keeping risks at manageable levels. The offshore outsourcing industry has become mature, process- and quality-driven, and security conscious as well. One of the key challenges in the outsourcing scenario is the ability to drive a common set of controls effectively across borders, cultures and time zones. The regulatory pressure – especially the introduction of the Sarbanes Oxley Act in 2002 – has led organizations to drive their vendors to also comply with controls to ensure risks to the business are kept at an acceptable level. This brings us to the Statement on Auditing Standards No. 70, Service Organizations, which is a widely recognized Auditing Standard issued by the American Institute of Certified Public Accountants (AICPA) in April 1992. An audit carried out as per this Statement, commonly called as SAS 70, represents that a service organization has been through an in-depth audit of their control activities, which includes general computer controls and outsourced processes. The SAS report also provides useful information on the entity level controls of the service organization. There are two types of SAS 70 reports - Type I and Type II. As part of a SAS 70 Type I report, the service auditor reports whether the controls have been designed effectively and placed in operation as on a particular date. The Type II report goes one step further where the service auditor also tests the operating effectiveness of the controls over the reporting period – generally 6 months.
Benefits of SAS 70
Typically, a SAS No. 70 report contains: Since a SAS 70 report is typically and auditor-to-audit communication, and intends to provide the audience with a clear picture of the degree of assurance that can be derived from the controls present at the service provider, it typically consists of: The auditor’s opinion, on the design, implementation and effectiveness of controls at a service organization A description of the service organization’s control environment, its control objectives and controls that are in place to achieve those control objectives Details of the tests performed by the auditor to assess operating effectiveness and the results of these tests Information intended for use by the user organizations and user organizations’ independent accountants Benefits of a SAS 70 to user organizations: User organizations that obtain a SAS 70 report from their service organization are able to arrive at a clear picture with respect to the service organization’s control environment In the case of a Type II report, the user organization receives an independent assessment of whether controls were placed in operation, suitably designed, and operating effectively Benefits of SAS 70 to service organizations: An independent and unqualified opinion issued by an accounting firm provides the service provider with a key differentiator over its competition with regards to the controls and effectiveness of the control operations Provides the service organization with an opportunity to increase the trust with its user organization SAS 70 engagements are performed by control-oriented professionals who have experience in accounting, auditing, and information security, therefore allowing the service organization to have its control policies and procedures evaluated and tested (in the case of a Type II engagement) by an independent party. Very often this process results in the identification of opportunities for improvements in many operational areas.
How can NII help?
Services to service organization NII consultants can help service organizations define the right set of controls and design them properly We can also help service organizations implement the controls effectively taking into account regulatory, contractual and legal requirements Finally, we can assist service organizations get ready for SAS 70 Type I and Type II audits by conducting internal audits Services to user organizations In collaboration with our CPA partners, we can facilitate SAS 70 Type I and Type II audits to be conducted and reports to be generated to help provide assurance with regards to the controls at the service organization.
Conclusion
Essentially, SAS 70 is an audit based on agreed control objectives and controls that are relevant to the functional environment of the outsourced process/project. While CMM, ISO 9001, ISO 27001, etc. are standards, the compliance to which can be demonstrated through certification, SAS 70 involves formulation of control objectives and controls based on the risks related to the outsourcing arrangement that can impact the financial statements of user organizations. Hence, the control framework for a SAS 70 is definable per engagement and the examination scope is decided by the service organization in consultation with the user organization/ user auditor.

Services | Products | Solutions | Innovations | About Us | Contact us

Network Intelligence (India) Pvt. Ltd. | Copyright | Disclaimer