Secrets and Wisdom of a SAS-70 Pro - Part III

By now, you're aware that a SAS-70 audit is hard work. It can be extremely time-consuming and requires a lot of preparation to ensure success. Being prepared is only part of the equation, though. A successful SAS-70 audit begins with understanding what a SAS-70 auditor is looking for and preparing key employees to engage in the audit process.

Auditors are looking first and fore-most for open communication. If your employees have never worked with an auditor before, it is conceivable that they might be a little nervous. Non-verbal cues like crossing your arms, looking surprised or showing defensiveness can all be construed as suspicious by an auditor. Sometimes auditors ask the same question a different way so giving two different answers or having to back-track on an answer will quickly destroy your credibility. Ask questions and if needed use the phrase, "I need to think about that a minute" before responding. It is perfectly acceptable to say, "I'm not close enough to that process to be able to answer your question so let me get clarification and get back to you." Once I tried to answer an auditor's question without knowing all the information and attempted to fill in the blanks. I remember the auditor looking me squarely in the eye once my colleague cleared up the confusion and saying, "That's not what YOU told me." Don't guess, only present the facts. Visit the fourth article in this series How to Appropriately Interact with Auditors for more tips on how to appropriately interact with the auditors.

Say it, do it, prove it. Say it - the written process or procedure. Do it - ensuring that the written process or procedure is being followed. Prove it - having a follow-up mechanism in place to ensure the process or procedure was completed (i.e., a sign-off).

Review your controls from an auditor's perspective. According to AuditNet, an online web portal designed for auditors, most auditors will look at (1) Input Controls; (2) Transaction Processing Controls; (3) Output Controls; (4) File Integrity Controls; and, (5) Auditability. For each one of these areas, auditors will ask questions about (1) processes around proper authorization; (2) processes around data correctness; (3) frequency of inputs and outputs; (4) assurance that data won't be lost; (5) security and auditability as it relates to being able to ascertain who made changes to data when; (6) error correction; (7) conformation of processes to general or specific directions of management; (8) conformation of processes being in compliance with law, regulation or governance; (9) security of data being released and assurance it is delivered to the correct person; (10) assurance that confidential data is protected from disclosure; (11) timeliness; (12) accuracy of record-keeping; (13) assurance that data is protected from intentional or accidental modification, destruction or disclosure; (14) proof that processes and procedures are followed. Where I have personally had the most challenges is in the approval and authorization piece. It's easy to create a process and tell people they have to follow it. What's more difficult is proving they followed it. For situations where approval and authorization is required, you will need to consider that you may need spreadsheets, databases, web applications or paper check-lists that require signatures and sign-offs.

Now that you know what the auditors will be looking for, read part IV of the series which will give you tips on how to appropriately interact with the auditors.