Secrets and Wisdom of a SAS-70 Pro - Part II

Now that you've mastered the basics, you have to get ready for the audit. This is by far the most time consuming part of the process and really could be someone's full time job. I remember thinking more than once "I wish I'd have done this or that before the auditors showed up." Read on for some "off the books" suggestions that a person learns only after suffering through a SAS-70 audit.

Summarize the overall purpose, specific objectives, SAS-70 scope, committed resources and expected results of the audit. The most important thing to do when getting prepared for a SAS-70 audit is to define what is in-scope and what is not. There are tasks, processes or procedures your company or department may perform that may not be subject to a SAS-70 audit. If you don't have staff dedicated to coordinating the SAS-70 audit process, it is important to designate a team of individuals to act as an advisory board and project team.

Who should you pick for such a team? Experience has taught me that diversity is the key. In Star Trek terms, you need the Captain, the Science Officer, the Engineer, the Communications Officer, and the Security/Tactical Officer. For your Captain, find someone who has outstanding leadership skills and can quickly get up to speed on SAS-70 basics and then get the team on board to help document and define. For your Science Officer, seek out the most detail oriented person you can find. Maybe it's the person that drives you crazy by questioning everything, the person who picks lint off their sweater during every meeting or the one person that seems to take forever to get projects done because of their meticulousness. For your Engineer, find a person that has the ability to pick apart your processes and procedures and make determinations on what is in scope versus out of scope and what needs to be "fixed" before the audit. For the Communications Officer, find someone who has a knack for writing processes and procedures and making sense out of discombobulated information. Lastly, for the Security/Tactical Officer, find someone that will look for places where authorization is required and be able to create processes to ensure data is secure, correct and intact.

Identify all the documented processes and procedures your company or department has created and begin noting processes and procedures that people perform that are not documented. Getting an inventory of established processes and procedures will help you determine what types of things your company does that could potentially be turned into a SAS-70 control. If this is your first SAS-70, this can be an enormous undertaking. The key to doing this successfully is to identify process owners. Begin first by identifying all the departments in the company and rolling them up to the senior staff member to which they ultimately report. For each senior staff member, list out all the managers that report to them and the areas for which they are responsible. Next, set up a senior level meeting where you explain the purpose of the SAS-70 audit and hand out a sheet detailing each senior leader's areas of responsibility. Ask each leader to delegate the task of gathering all the documented and undocumented processes and procedures for their area. I have found that in many companies, there is often a repository of information tied up in tenured staff members - questions that only a single staff member can answer or processes that only one or two individuals know how to perform. I key in on this when I ask staff members how they resolve particularly difficult questions and they say, "Alex is our guru - only he can figure that out." or "Jean's not here today so we'll have to wait until she gets back." If these are phrases you hear often you need to be prepared to do a lot of work to get these items down on paper.

The most effective tool for analyzing your current process state is what I call a Process Matrix. A spreadsheet is a good tool to create this grid. Create a tab for each department. Within each tab, create the following headers: Process Name, Description of Process, Frequency of Process, Input, Output, Responsible Party, Documentation, Tests of Effectiveness. Use of this matrix to record your processes and procedures will provide you with two desirable outcomes: (1) You'll be able to identify and assign owners responsible for writing undocumented processes and procedures (which they will eventually have to maintain); and, (2) You'll be able to identify what outputs may need to be considered for controls.

Identify those processes that could be considered control points. A good rule of thumb when identifying controls is to look for inputs and outputs that deal with (1) security of data; (2) accountability to ensure data reaches its destination; (3) quality assurance of data; (4) approval and authorization of data or data release; (4) segregation of duties; (5) safeguarding of physical assets. A control point represents the point in a process or procedure where a critical event should occur.

For processes that could be considered control points, make sure you have documentation to support them. This can be a daunting a task but keep in mind that SAS-70 audits are much faster and easier if you have documentation to support your business. This is where delegation, ownership and accountability plays a key role. By assigning ownership over processes and controls, several individuals together can accomplish the task of getting everything down on paper. The biggest piece of advice I can give you if you have to begin writing a bunch of processes and procedures is to create a standard and require everyone to follow that standard. When I say standard, I mean a list of common definitions, process/procedure templates, file naming conventions, shared file locations and update schedules. The first SAS-70 I audit I was involved in, everyone was asked to write processes and procedures for each of their respective areas. For each of the 10 different areas, there were 10 different ways the information was put together. Being able to present information that has the same look and feel speaks for itself.

Now that you have pulled together the information you'll need for audit, you're ready to move on to part 3 of the series which will introduce you to what SAS-70 auditors will be looking for during the audit.