| Subscribe to our newsletter |
Home | What We Do | Why Us? | Customers | About Us | Newsletters | Resources | News | Contact
What We Do

Audit Preparation

Let's face it. Most people cringe when they hear the word "audit."  In the past only staff members who worked directly with financial information had to work with third-party auditors. Everyone else in the company would feel sorry for these individuals while at the same time thinking, "I am glad it's not me."

The business world has changed and now Finance is not the only department that has to participate in audits. Given new regulatory requirements and commonly accepted guidelines, almost every department has to roll up its sleeves and work with third-party auditors. This change has occurred for reasons I will not go into at this time, since most of you can take a good guess. The word "Enron" should come to mind.

Any service provider, especially those supporting public companies, now has to respond to business clients' questions regarding controls in place to protect customer information throughout the service/product life cycle. This new scenario has implications for a company's technology environment and strategic plans.

An audit of the technology environment can generally be considered a review of the processes and checks in place to ensure the integrity and security of client companies' customer information. A shorthand term for this kind of audit is a "systems audit."

Having to conduct audits means that a company has to budget for such an activity. Audits are often expensive endeavors.  One important reason to proactively conduct a widely accepted kind of audit is to avoid having client companies conduct their own audits of your company. Multiple client audits are expensive, stressful, and distracting. It is much easier and less costly to be able to tell clients that you have conducted a standard audit that should answer many of their questions and to show them the corresponding reports.

If a service company chooses to conduct an internal audit, the challenge then becomes deciding on which kind of audit. An employee investigating the options will be overwhelmed by acronyms and differing audit strategies. For this reason, the rest of this article will focus on one form of audit, a "SAS 70" audit.

The SAS 70 audit was developed by the American Institute of Certified Public Accounts (AICPA) in response to the fact that many companies use service organizations (i.e., outsource) certain business functions that have an impact on their financial statements. To borrow language from the publication Service Organizations: Applying SAS No. 70, as Amended: AICPA Audit Guide, "Because many of the service organizations' functions affect a company's financial statement, auditors auditing the company's financial statements may need information about those services, the related service organization's controls, and their effects on the company's financial statements."

In addition, the only third-party auditors that can assess SAS 70 controls and "certify" a company's compliance are qualified CPA firms. Most companies prefer to use well-known accounting firms that they already use for financial audits. Therefore, a SAS 70 audit fits nicely with financial audit processes that are already in place.

To cut down on the cost of an audit, many organizations first engage a professional services firm to perform a pre-assessment validation against the industry recommended controls to determine if the organization is truly prepared for a third-party audit and to then work with the company to address any gaps. This approach can significantly reduce the number of billable hours clocked by accounting companies that are generally much more expensive to engage than consulting organizations performing readiness assessments.

In addition, a SAS 70 is perhaps the simplest of the systems audits than can be performed because it is not based on external standards or regulations. On the other hand, its simplicity can be very confusing because it is not something you "pass." Almost any organization looking for a way to explain the SAS 70 process quotes from the SAS 70 website Frequently Asked Questions (FAQ):

Is there a list of SAS 70 standards, control objectives, or checklists? Since service organizations are responsible for describing their controls and defining their control objectives, there is no published list of SAS 70 standards.  Generally, the control objectives are specific to the service organization and their customers. However, there are some great sources* of control objectives and other published standards that can be used to prepare for a SAS 70 audit or another type of third party assurance.

*See Recommended Reading section for information about these sources.

Because a SAS 70 builds on an organization's existing controls, the effort put into conducting a SAS 70 audit is also beneficial for the company in general because it is motivation to address any existing internal control issues and to document processes. This is a good thing to do whether an audit is being conducted or not!

As with any company undertaking, the most important goal is to meet clients' expectations regarding what type of audit(s) they expect their service providers to conduct. SAS 70 is but one of many options.  Customer Centricity can help you identify which option may be right for your company and help you develop a game plan to prepare for this activity.  We have real world experience in preparing organizations for an audit as well as coordinating the actual audit process.

Recommended Reading

There are several references available to assist with understanding the SAS 70 process presented above:

Service Organizations: Applying SAS No. 70, as Amended: AICPA Audit Guide, published by the AICPA, last updated April 2002. This is available for purchase by AICPA members. There is very likely someone in your organization who is a member.

The Information Systems Audit and Control Association (ISACA) publishes a set of control objectives referred to as "CoBIT". Information on CoBIT and how to purchase the latest editions is on the ISACA website. ISACA also publishes a great comparison of different standards and frameworks.

The WebTrust Principles and Criteria and the SysTrust Principles and Criteria (WebTrust and SysTrust are other audit types) can be downloaded for free from the AICPA website. Each principle has specific criteria elements and illustrative controls that can serve as a baseline for your organization.

The IT Governance Institute has published a reference guide entitled "IT Control Objectives for Sarbanes-Oxley". This powerful research tool maps many of the CobIT control objectives to the widely recognized COSO framework for internal control. The control objectives contained in this document could be used as the basis or framework for a SAS 70 service auditor's examination.

The IT Infrastructure Library (ITIL) is an international standard for service management.

The book, Auditing Information Systems, by Jack J. Champlain, is available for purchase through Amazon.

 
 

Meet our founder. View Customer Centricity President and Founder Craig Bailey in a recent video interview.
 

Embarking on the Journey to Customer Centricity? If so, see our resource section for tools and articles to help you get started.

Click Here

 

Avoid the pitfalls of CRM deployments.  Learn from the mistakes of those that came before you in this informative whitepaper.

Read More
 
 
 
Home | What We Do | Why Us? | Customers | About Us | Newsletters | Resources | News | Contact

Copyright 2003-2008 Customer Centricity, Inc. All rights reserved.