SAS 70 Readiness Assessment | How to Prepare for a SAS 70 Audit

There are many organizations who have either internally decided that a SAS 70 audit is in their long term goals or their customers have decided this form them. Either way, proper planning and documentation of policies and procedures is a critical success factor to completing a SAS 70 Type I or Type II audit.

What should I suspect from a SAS 70 Readiness Assessment? Simply put a comprehensive review of your organizations internal policies, procedures, and information systems. How this is executed and what your organizations receive in the form of deliverables is the critical differentiator in preparing your organization for success. So what are these? I have found it extremely useful to provide organizations with high level questionnaires detailing the core requirements for SAS 70 audits, allowing organizations prepare and plan ahead of time. If you understand what you are about to venture into, when it comes time to execute you are that much more prepared. Make sure that your Readiness Assessment provider includes a detailed description of controls that your organization currently has in place in addition to the observations / gap analysis reported. It is important for management to evaluate all of the controls that they are being evaluated on, in addition to the observations / gaps identified by your auditor.

The SAS 70 Readiness Assessment audit is only the beginning for some organizations. If your audit results in a number of significant observations / gaps, management needs to carefully evaluate their SAS 70 Readiness Assessment report, create action plans, assign tasks to responsible personnel, and follow up to make sure action plans and tasks were completed as intended. It sounds like a lot of work, but it is very dependent on each organization and their internal control environment. At the end of a successful audit you should have more defined policies and procedures that should ultimately improve your organizations efficiencies and security.