I have already discussed the basics of SAS 70 Third Party Audits in one of my earlier posts. You can also read more about SAS 70 Type I and Type II audits in my earlier posts. A lot many readers have requested me to describe to process of approaching a SAS 70 audit. How does one go about doing a SAS 70 audit. To give a brief overview of the SAS 70 audit, I have made a step by step plan of conducting a SAS 70 audit below:

1. Document the process - This includes a detailed description and write up of the process, services offered, objectives of the service, tasks completed to achieve these outputs, controls related to the process, etc

2. Documenting the systems / applications - The next step is to document the entire set of systems and applications used to for delivering services. This includes questions like what are the key system components, does the application have a security system, how are changes managed etc.

3. Control Objectives - Once all documentation is ready, one needs to develop control objectives based on following criteria like accuracy, restricted access, validity, timeliness etc.

4. Control Activities - Activities which help in the achievement of control objectives are called control activities. Once such control objectives are ready, activities in the process which tie back to the control objectives should be traced.

5. Test - Finally, once all of the above is ready the only task remaining in a SAS 70 audit is to test the control activities, whether the same are operating effectively or not depending upon whether it is as SAS 70 Type I audit or SAS 70 Type II audit.

Related Posts

> IT Controls Framework COBIT , > SOX Real Time Disclosures , > COSO Framework & Risk Categories , > Code of Ethics for Senior Executives