Who needs to perform a SAS 70 audit?
The SAS 70 audit was implemented by the American Institute of Certified Public Accountants in 1992 and is something that has become especially popular in recent years. This has a lot to do with the incredible growth of compliance legislation. An example of a piece of regulation that focuses on compliance is the Sarbanes-Oxley Act of 2002. You will also find that there are other pieces of legislation such as HIPAA that have been put in place to protect people from being breached in some way. , particularly in the area of privacy. SAS 70 does the same. It prevents individuals from being raped in any way. One particular way is the disclosure of some kind of private information that could be used by others for malicious purposes.
But what does it all mean and how does a SAS 70 audit protect consumers?
What this means is that there is corporate governance over business practices, especially those practices that could result in harm to a consumer. The audit ensures that violations do not occur and if there are, those issues can be fixed so consumers are protected.
Who needs a SAS 70 Audit?
If you’re due for a SAS 70 audit, you probably work for some type of service organization. May provide outsourcing services to user organizations. It could be a payroll company that deals with people’s payment information. It could even be a data center that provides services to a company. Whatever happens, you are working in an industry that handles sensitive information. If that information is disclosed in any way, it can fall into the wrong hands and be used to harm a business or the consumers who entrust their information to that business.
Where SAS 70 begins
First, if you are an organization required to comply with SAS 70, you will be required to do so. You must ask yourself why it is necessary to comply and what are the long-term expectations. You need to find out if you are being reviewed only once, if you need to be evaluated annually, and if you need Type II compliance or Type I compliance.
The difference between Type I and Type II compliance is that the Type II audit is more extensive than the Type I. Whether or not you need to have a Type II audit depends on what the entity requiring your compliance tells you. They may find that you need a more extensive audit to check the various parts of your business.
What is audited?
Your logical security, network security, physical security, executive pitch, human resources, your systems development lifecycle, environmental security, incident management, and much more are all checked for compliance. These are all components that contribute to the safety of those who work in your company and those who are customers of your company.
So it’s fair to say that if you work in the service industry, you may be required to comply with SAS 70, especially if you handle consumer information such as credit card information, social security numbers, and other personal information. If you have inside personal information that belongs to another company, you will be required to comply with SAS 70. Repeated failure to comply could result in the closure of your operation because that puts consumer information at risk. So it’s best to figure out what needs to be done to comply early on so there’s nothing to worry about if a future audit is to take place.
