By R. Edwin Pearce (www.epearce@egisticsinc.com)
A new study from Gartner confirms something that eGistics (www.egisticsinc.com) has known for some time: there's a lot more to effective security, privacy and continuity than compliance with Statement on Auditing Standards (SAS) 70.
"SAS 70 is basically an expensive auditing process to support compliance with financial reporting rules like the Sarbanes-Oxley Act (SOX)," says French Caldwell, research vice president at Gartner. "Chief information security officers (CISOs), compliance and risk managers, vendor managers, procurement professionals, and others involved in the purchase or sale of IT services and software need to recognize that SAS 70 is not a security, continuity or privacy compliance standard."
Published by the American Institute of Certified Public Accountants (AICPA), SAS 70 provides a service provider's auditor with guidance on how it should report on process-related risks relevant to financial statements and transaction processing. Intended for use by the customer's auditor, the result of a SAS 70 is either a Type I attestation that the processes as documented are sufficient to meet specific control objectives, or a Type II attestation, which additionally includes an on-site evaluation to determine whether the processes and controls actually function as anticipated.
Gartner believes a SAS 70 Type II evaluation does provide a very high degree of assurance that the examined controls are effective. The performance of controls is evaluated over a period of time; it is not just a snapshot of control effectiveness. However, customers should never assume that the provider has implemented all the appropriate controls, Gartner says.
"To ensure that vendor controls are effective for security, privacy compliance and vendor risk management, SAS 70 ... and other national audit standard equivalents should be supplemented with self-assessments and agreed-upon audit procedures," Caldwell explains.
Interested in learning more? E-mail me at epearce@egisticsinc.com.
A blog dedicated to the presentation and discussion of ideas about the storage and management of information for financial services.
No comments:
Post a Comment
We welcome your comments and expect that our conversation will follow the general rules of respectful civil discourse. This is a moderated blog, and we will only post comments from bloggers 13 years or older that relate to topics on eGistics Blog About Document Management Storage. We strive to review comments for posting within one business day. You are fully responsible for everything that you submit in your comments, and all posted comments are in the public domain. We do not discriminate against any views, but we reserve the right not to post comments. We do not post comments that are off-topic, spam, or overtly self-promoting.