logo for it-outsourcing-adviser.com
Home
Disaster Recovery
Industries
Business Continuity
ITIL Insights
IT Outsourcing
News/Blog
Managed Services
Change Management
SAS 70 Savvy
About Us
Contact Us
Privacy Policy
Disclaimer
Site Map

Subscribe To Our Site News
XML RSS
Add to Google
Add to My Yahoo!
Add to My MSN
Subscribe with Bloglines
leftimage for it-outsourcing-adviser.com

What Is SAS 70 Compliance?
And Why Is It Important?

Let's just simply say that SAS 70 compliance is of vital importance to you.

It's also extremely important to your outsourcing provider, if you're looking at IT project outsourcing.

Outsourcing your IT project is the most likely reason you're here at this website, so let's deal with the SAS 70 subject in that context.

The key points to cover are:

  • An overview of SAS 70, how it evolved, and what institutes have become part of this,
  • How the process works,
  • Steps to follow,
  • The types of SAS 70 audit reports and some important concerns,
  • What is SAS 70 certification,
  • Why you need SAS 70?

Overview From An IT Perspective

Click here to contact us with your questions and to request your free books and executive summary of them. Protect your business. Use best practices for IT outsourcing and supplier selection.

SAS 70 is an acronym for Statement of Auditing Standards No. 70 as developed by the American Institute of Certified Public Accountants (AICPA).

It contains a set of guidelines that guide the service provider on how to disclose their control processes, activities and objectives to their customers auditors and in a uniform and standardized reporting format.

In a nutshell, it's an independent auditor's report on the internal processes and controls used by your potential IT outsourcer as they pertain to the information services provided to its clients, such as yourself.

As part of IT management, the process of IT Governance from the IT Governance Institute (ITGI) is defined as "the structure of relationships and processes to direct and control the company in order to achieve the company's goals by adding value while balancing risk versus return over IT and its processes."

SAS 70 compliance requirements are associated with Section 404 of the Sarbanes-Oxley Act of 2002 (SOX 404) and are the primary driver of the IT Governance concept. ITGI published the IT Control Objectives for Sarbanes-Oxley. This guidance became the worldwide standard for the definition of control objective and control activities as part of Sarbanes-Oxley compliance.

Another important IT Governance framework includes the IT Infrastructure Library (ITIL) and ISO 17799 (Information Technology - Security Techniques - Code of Practice for Information Security Management).

What's important about SAS 70 compliance? Your organization and your potential service provider must be following these best business practices. References to these subjects and organizations are going to come up again in other subject areas of this website.

Why SAS 70 Compliance Is Important

The Sarbanes-Oxley Act, section 404 requires service providers to disclose their internal controls policies and procedures whether adequate or not to fulfill their obligations under the law. This is important because:

  • It facilitates the investigation process by potential clients.
  • All clients then get the same consistent report.
  • It reduces the client's time and costs of investigating the service provider.
  • It shows the client this supplier is following best business practices and is not attempting to hide information, i.e., the provider is trustworthy.
  • Because this report is produced by independent auditors, it puts this service provider in a different class from his peers by establishing that it has effectively designed internal control objectives and activities.
  • As more companies such as yourselves look to third party outsourcer's data privacy and integrity are extremely important to you. You need to be certain your data is being processed correctly.
  • If the service provider is being engaged to provide transaction processing, IT infrastructure, data hosting, or any other related "data processing" then your auditor needs to gain an in-depth of the internal controls used by the provider so that he can plan his audit and evaluate the control risks.

SAS 70 Certification

  • Why certification is important to you?
  • What is involved in this process?
  • What if the service provider is not compliant?

These issues and more are covered in our "SAS 70 Certification" page.

SAS 70 Audit

  • The different types of SAS 70 reports?
  • The content of the reports?
  • Report limitations - Issues of concern?

These issues are important. Learn more at our "SAS 70 Audit" page.

Other Useful Resources

There's a great deal to be learned about SAS 70 compliance in order to ensure you're following the best business practices in looking for the right IT outsourcing provider. We're here to help.

Our offer of professional help is a serious one. First of all, you'll find that while the site information is exhaustive, it appears in a brief, easy-to-read, often bulleted, executive style.

You won't get bogged down in details while browsing this site, but we DO have extensive in-depth information for you if you want or need it. It's free and all you have to do is ask!

Start right now by going to the Contact Us page and completing the simple online form. You'll receive immediate access to two authoritative industry books, which our site sponsor will mail to you at no cost.

As a thank you for participating in our site, you'll also receive a bonus download of "15 Interview Questions To Ask IT Outsourcing Providers".

Return to the "Home" page from
this "SAS 70 Compliance" page.

© IT Outsourcing Adviser
Contact Us