|
|
|
Features
< Back
Sarbanes Oxley : Technology : Sarbanes Oxley
Making the Most of Your SAS 70
By
Dave Tilkin
|
|
Dave Tilkin
President
ProcessUnity
|
Making the Most of Your SAS 70? Yes, I know.
Having been through it so many times myself, I know what you?re thinking.
Like so many people responsible for SAS 70 compliance, you probably view the entire process as something to get through, one more pain-in-the-neck item that landed on your already over-long to-do list. More than likely, if you?re going through SAS 70 for the first time, you just want to land safely on the other side?a clean Type II report, signed, sealed, and delivered by your auditors. More than likely, if you?ve already been through the SAS 70 process once or twice, you?ll just forget about it until you get a call from your compliance manager letting you know that the auditors are heading in.
Then the scramble begins to round up the usual suspects?all of your control owners?and to unearth everything that was so carefully and sensibly put away last year. (Hmmm, who?s got the spreadsheets with the test results? Is the final version of the narrative on my PC or yours? Did Marvin take his paper files with him when he transferred to his new group? How many of the other key players have changed roles or left the building over the past year?)
And, yes, I know, whether you?re a first timer or an old-timer with SAS 70, odds are that you?re doing it because your customers expect or demand it?not because you actually want to.
But it?s really time to get beyond this myopic view of SAS 70. After all, SAS 70 is more than just a piece of paper. If you?ve done your prep work, it is an attestation by non-partisan third party auditors commenting on a well-defined and demonstrably effective control environment. You need to start taking advantage of all the hard work that went into your SAS 70 and look for opportunities to leverage your completed and prospective audits.
Use them to improve the overall operational efficiency of your business by institutionalizing, and expanding on, the controls specifically put in place for SAS 70.
And it goes without saying, if you?ve received a qualified SAS 70 for whatever reason, it?s time to pull your socks up and make sure that next time around you?ll get the gold star, rather than the black eye.
How do you do this?
For starters, you need to make the care and feeding of your SAS 70 controls part of your ongoing work?not a grand, once a year event. You should be continually looking to improve upon your controls by asking yourself if there?s anything in your operations that just might cause your customers to wince if they knew about it, or, worse, anything that puts your organization at risk.
Examining your controls on a regular basis is good business. You may find that ?business as usual? practices that actually seem to work pretty well have some holes in them. It may be something quite simple:
? Too many employees may be holding administrative privileges to a key system. This may be convenient, but it?s not all that wise.
? Employees may be keeping customer records on their laptops. This may be okay if the laptop is epoxied to a desk behind your firewall, but is a big no-no if the laptop leaves the premises and places confidential information at risk.
? Part of your process may involve person-to-person contact or meetings, not just systems-based checks and balances. This may work just fine, but has everyone been as diligent in documenting these contacts as they need to be?
Why wait, perhaps as long as a year, for someone else?those non-partisan auditors?to highlight discrepancies in your control environment, and subject those findings to publication in the SAS 70 documentation?
When it comes to SAS 70, it?s also excellent practice to take your customers into consideration. In defining your new SAS 70, think about what is currently on the minds of your customers?or ask them directly. It may make sense to include, wherever possible, controls to address these concerns. Once you?ve taken care of the ?wince factor,? are there other controls that your customers might be delighted to find out that you have in place?
That may signal to them how serious you are about operational integrity and rigor. Adding them to your SAS 70 might give you a significant competitive edge.
When you look at your controls, you may also find that what looked ?reasonable and customary? just last year is no longer sufficient. Check to see whether any new guidance for SAS 70s has been issued by the AICPA or other regulatory groups.
Look for industry and technology changes that should be considered. There are always new threats that were inconceivable until they happened.
Sure, you can drive yourself crazy trying to anticipate every last thing that can go wrong, and completely hamstring yourself in the process, but when something new crops up, you do need to have an answer for it. The situation may well be handled in a general control, but if something becomes ?headline news??think the denial of service attacks years back, and this year?s spate of stolen laptop horror stories?your customers may well start asking questions around the specifics.
One thing to note is that many customers are now asking for additional specifics even when provided with a ?clean? SAS 70, let alone one with exceptions. Tolerance for exceptions noted in a SAS 70 is waning fast, and customers are now requiring specific details about the exceptions and how and when they are resolved. Don?t wait to be asked. If you need to expand or tighten up your controls, you shouldn?t wait until it?s audit time. Take care of it proactively.
Let your customers know that you?re on top of it, allaying their concerns before something becomes a major issue. Security is always an IT hot button, and this year?s crop of considerations includes laptop data policies, laptop and server data encryption issues, and any exposures due to a weak patch-management processes.
Even if there?s no room for improvement with your controls?and we know that?s rarely the case?you can still save yourself some headaches by running periodic test of your controls. Why wait for the auditor to darken your door? If you?re testing your controls out regularly, you?ll have problems resolved and eliminate the risk of getting a black mark?or a failed audit. You?ll also have all the kinks in your process worked out, so that when the auditors arrive their testing process will be streamlined?no more hunting and pecking for the right test data sets and other time-consuming and costly work that may have been standard in past engagements.
Forward thinking companies run their tests twice a year. Some even do so quarterly. Not only does this provide an early warning system that something?s not quite right, it also lets them provide additional assurance to those customers that have reporting periods that are off-cycle with your SAS 70. A natural by-product of this approach is that it gives auditors a higher comfort level when they know that someone else is also keeping an eye on your controls.
Treating your SAS 70 as part of your ongoing process, not just as a burdensome add-on, can result in many benefits. First, and most directly stated, you will develop the types of rigorous processes and controls that decrease the risk that something bad will happen. How bad can something be? At worst, actual harm may come to your customers. (Think about all those Social Security numbers on laptops.) At best, you might get a public black eye that results in lost customers and greater difficulty attracting new ones. And you need to keep in mind that a black eye is seen by more people, and stays a shiner far longer, than it used to.
News stories stay alive forever these days thanks to the Internet, and the blogosphere, with its combination of the truth, the partial truth, and nothing like the truth, spreads bad news virally. Loss of customer confidence is not remedied overnight. And a failed audit may mean increased demands on the part of your customers, or regulatory bodies, to send in their own auditors for a look-see.
Incorporating your SAS 70 efforts into your regular process has many advantages. Staying on top of your controls?current with your processes, current with your testing and documentation?will not only make your audit go more smoothly and quickly, it will minimize the risk that your will receive a qualified audit. It will also minimize the time you?ll need to devote to working with the auditors.
This can result in appreciable time and opportunity cost savings when you factor in how often senior level managers become enmeshed in the auditing process. By making SAS 70 an ongoing effort, your results become much more predictable. And process owners acquire the tools, skills, reports, and tangible documentation that the controls they are accountable for are working as intended?everyone sleeps better at night.
If you test your controls regularly, you can provide information on interim results to your customers?especially those who are on a non-standard financial filing cycle and may feel that an annual SAS 70 is too out of date for them. If you?re a public company that?s required to report under Sarbanes-Oxley regulations, SAS 70 information can also be provided to your internal SOX compliance officers as affirmation that the controls and processes they are certifying are in place and working as designed.
Once you start considering the possible benefits of SAS 70, you?ll see the process as useful and rewarding. You may even decide to step it up, looking for new ways to expand your SAS 70 so that it becomes a true tool for improvement. Go beyond what?s required, and look for the delighters. If you have a truly rich set of SAS 70 controls, it can be used to calm the fears of customers who might want to come in and do an audit of their own. You also have a competitive advantage over those companies treating SAS 70 as something to survive, rather than making the most of it by using SAS 70 to improve their overall business.
A SAS 70 that differentiates you from the competition might well spell the difference between a World Class company and an also ran.
Dave Tilkin
President
ProcessUnity
Dave Tilkin is President of Compliance Solutions/ProcessUnity, Inc.
|
|
|
|
|
