SAS 70 auditing was put into force by the American Institute of Certified Public Accountants in 1992 and is something that has become especially popular in recent years. This has a lot to do with the incredible growth of legislation regarding compliance. An example of a piece of regulation that is focused on compliance is the Sarbanes-Oxley Act of 2002.
You will also find that there are other pieces of legislation such as HIPAA that have been put into place to protect individuals from being violated in some way, particularly in the area of privacy. SAS 70 does the same thing. It keeps individuals from being violated in some way. One way in particular is some sort of private information being released that could be used by others for malicious purposes.
But what does all of this mean and how does an SAS 70 audit protect consumers?
What this means is that there is corporate governance over business practices, especially those practices that could result in a consumer being harmed. The audit ensures that there are no violations taking place and, if there are, those issues can be fixed so that consumers are protected.
Who needs to have an SAS 70 Audit?
If you are required to have an SAS 70 audit, then you probably work in some sort of service organization. You may provide outsourcing services to user organizations. You could be a payroll company that deals with people’s payment information. You could even be a data center providing services to a company. No matter what, you are working in an industry that handles sensitive information. If that information is released in some way, it can find its way into the wrong hands and be used to hurt a company or the consumers who entrust their information to that company.
Where SAS 70 Begins
First of all, if you are an organization that is required to be SAS 70 compliant, you will be asked to do so. You have to ask why it is you need to be compliant and what the long-term expectations are. You have to find out if you are being checked just once, if you have to be evaluated on a yearly basis, and if you need Type II compliance or Type I compliance.
The difference between Type I compliance and Type II is that the Type II audit is more extensive than Type I. Whether or not you need to have a Type II audit depends on what the entity requiring your compliance tells you. They may find that you need a more extensive audit to check the various parts of your business.
Your logical security, network security, physical security, executive tone, human resources, the life cycle of your systems development, environmental security, incident management, and so much more are checked for compliance. These are all components that contribute to the safety of those who work for your company and of those who are customers of your company.
So it is fair to say that if you work in the services industry, you may be asked to be SAS 70 compliant, especially if you handle consumer information such as credit card information, social security numbers, and other personal information. If you hold personal internal information that belongs to another company, you will be asked to be SAS 70 compliant. Not being compliant repeatedly could result in the closure of your operation because that is putting consumer information at risk. So it is better to find out what needs to be done to become compliant from the very beginning so that there is nothing to have to worry about if a future audit is to take place.