Secrets and Wisdom of a SAS-70 Pro - Part IV

If there wasn't enough to think about, how you interact with the auditors can be a critical key to your success. Remember that the auditors are there to do a job but then again, so are you. Think about all your successful business relationships. What do they have in common? Most likely there is an element of trust and respect. Establishing this kind of relationship with your auditor is just as critical as it would be with any colleague, manager or peer.

Prep your staff on SAS-70 basics and equip them with the skills to handle the auditors. Educate your staff on the scope and objective of the SAS-70 audit. Staff members that will be answering questions from the auditors need to know what is in scope and what is not. Individuals also need to know that asking for clarification and repeating what they believe the auditor is asking for are both great ways to ensure that they provide only necessary information. I'll never forget sitting in an audit and observing a manager studying one of the control objectives. After a moment, she looked up at the auditor and stated, "That's not right. I've never seen this control before." To have a staff member participate in an audit unprepared is both embarrassing and unacceptable.

Establish a relationship with your auditors. Business is all about relationships. It is important that you foster excellent relations with your auditors. The building of trust in an audit relationship is critical to its success. The auditors must know that you are sincere in ensuring your processes are stable and auditable. When trust relationships do not exist, there is always a cloud of suspicion during the audit that can result in undesirable outcomes like misunderstandings, miscommunication and uncertainty. One of the firms I worked for hired an individual with limited social skills to conduct their SAS-70 audits. The man was absolutely brilliant but his speech was slow, his logic circular and he was unable to hold a conversation for more than a few minutes. Needless to say, the auditors detested working with him and his inability to clearly articulate critical information resulted in our company receiving a qualified opinion.

Always have a senior level person in the room with the auditors at all times to act as a facilitator and escalation point. If you do not have a person onsite that is a SAS-70 coordinator or point person, it will be critical to have a senior level individual in the room with the auditors at all time. The role of the senior leader is to be sure that individuals are only answering questions within the scope of the audit in addition to being available to coordinate the review of information to be released to the auditors. No information should be given to an auditor that has not been reviewed by a senior level individual.

Make sure that employees understand that they are to answer only questions asked of them. Employees should answer questions honestly and at no time should an employee lie or hide the truth about a process or procedure. It is important, though, that employees understand that they are not to expand on any answer they give. A technique I've used successfully in the past is to hand the auditor the written procedure referenced in the control objective and ask what questions they have. It minimizes confusion and demonstrates efficiency. I once saw a high level manager encourage staff members to expand on answers given during an audit. The audit became very confusing for everyone because staff members began discussing tasks they performed outside the scope of the audit. It made the auditors suspicious and questioning the validity of the overall scope. Tell your staff members, "Don't speak unless spoken to and only answer the question asked."

If an auditor asks to observe a process, make sure you have the employee that will be performing the process demonstrate it to a senior level person ahead of time to ensure the process is being followed as outlined in the control objective. Make sure there is a senior level individual present during the auditors' observation to answer questions. If the auditors ask to observe a process, it is important to comply with their request in an environment that you control. At no time should an employee bring a laptop with them to an audit Q&A session and allow an auditor to look over their shoulder while they perform routine tasks. I observed this happening in one SAS-70 audit I attended and the result was disastrous. As the individual continued to perform their daily tasks, the auditor became more and more intrigued with what she was doing and the apparent lack of controls therein. The result was an additional 15 control objectives and a more stringent look at that department which resulted in more work for everyone.

Participating in a SAS-70 audit can be intimidating and time-consuming but remembering a few simple rules can turn potential turmoil to success: (1) Learn the basics; (2) Take time to prepare; (3) Know what the auditors are looking for; and, (4) Know how to interact with the auditors.