Fourspiral can apply its methodologies and experience to graphically demonstrate how process controls function, how they relate to one another and what the system and human dependencies (in these process workflows) are in a given a control chain.
In addition, where the control processes come up short, or show risks due to conflict of duty overlap these can be remodeled. This would be done after discussion with key stakeholders in your company in preparation prior to audit compliance.
Sox 404 and BC&DR compliance
There has been much discussion on whether Sox 404 contains a requirement to include BCP and DRP within the scope.
An Interesting discussion thread on this subject that is worth reading can be found at the following location: hyperlink
With on major proviso the general concensus is that BCP and DRP are excluded from the scope of SOx. The proviso is that a business can produce (in real time) up to date reports and records pertaining to financial positions and transactions. If you do not have a data recovery environment in place you will not be able to satisfy the requirement: if you lose your site and need to recover key transactions may not be available since last backup went to tape/disk media. Having hot secondary copies of key data/databases at a contingent location will allow you to meet the requirement. It’ll also allow your business to recover in a much, much accelerated timeframe.
Also it seems that the different major accounting firms can have different interpretations on whether DR is included or not.
The question a business must ask itself is: I am happy to comply at this level or do I consider DRP and BCP a core element of IT Control function
Senior Manager at Thawte consulting (hyperlink
) responsible for working closely with KPMG for the implementing all system and controls for the attainment of SAS70
) and Web Trust
) audits contributing heavily towards Thawte consulting complying to strict requirements to trade as a (Digital) Certificate Authority.
This responsibility included oversee compliance to all logical and physical access controls, logical system and log file controls, software build segregation and strict change management implementation, staff adherence to control policies, Disaster Recovery and Business continuity. What is the SAS 70 audit:
‘Statement on Auditing Standards (SAS) No. 70, Service Organizations, is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA)’ An excellent summary of understanding and preparing for a SAS 70 Audit is given below:
Author :Charles Denyer
Tidwell DeWitt www.tidwelldewitt.com
[Reproduced courtesy of Tidelldewitt company]
Tips for getting your organization ready for a SAS 70 audit. by Charles J. Denyer, Audit Assurance Manager, Tidwell Dewitt, LLC As organizations struggle to comply with ever-growing regulatory mandates imposed from the passage of various acts, such as Sarbanes-Oxley (SOX) and the Health Insurance Portability and Accountability Act (HIPAA), another challenge looms just as large and complex: preparing for a SAS 70 audit.
Many organizations fail to understand the necessary steps that must be in place before an auditor can successfully begin field work for a SAS 70 engagement. Consequently, cost overruns and subsequent delays in issuing a “service auditor’s report” are far too common. By making yourself and your organization aware of the tasks involved with preparing and ultimately engaging in this type of audit, precious dollars and employee man hours will be saved. Communicate with your auditor. Many organizations are under the assumption that their SAS 70 auditors will simply arrive and begin field work on a predefined date, with little or no guidance needed from the organization. After all, they are the experts and know exactly what they are doing…right? Wrong. Effectively communicating with your auditor will allow you to have made inquiries into their processes, ultimately resulting in a better understanding of key deliverables, such as expected field work timeframe and issuance date for a “service auditor’s report”.
A number of internal documents are used by auditors to assist in commencing with field work and in issuing a SAS 70 report. Being aware of what these specific documents and procedures are will save your organization time and money by having them in place when the auditors arrive. They include the following:
• Network Topography of your organization’s I.T. infrastructure
• Internal I.T. policy manual regarding computer operations, computer security and other related issues
· Documentation pertaining to the Systems Development Life Cycle (SDLC) regarding the platform (i.e., module, application) being examined for SAS 70 compliance
• Employee Handbook and related issues
• Business Continuity/Disaster Recovery policy and related issues SAS 70 Readiness
While many organizations can answer “yes” to having the above procedures documented and in working order, a large number of institutions find themselves unable to furnish this vital material to their auditors, thus they cannot successfully begin a SAS 70 audit. Though this is a common occurrence, your organization can take a number of proactive steps in producing the documents and having in place the fundamental business processes and controls, ultimately ensuring that the engagement is carried out in an efficient, detailed, and cost effective manner. Organizational Chart:
Review and update your company’s organizational chart, including current titles, reporting responsibilities and tenure at current position. Information Technology Infrastructure:
Review and update your company’s I.T. policy manual, including rules and regulations governing all I.T. operations and I.T. security issues. Systems/[Software] Development Life Cycle (SDLC):
After having identified the module or application being observed within a SAS 70 audit, steps should be taken to document the stages or cycles during the entire SDLC process. Employee Issues:
Review and update all employee issues, such as hiring and termination policies, non-disclosure agreement documents, employee valuation guidelines, and any other information deemed vital. Disaster Recovery: Review and update all policies and procedures for disaster recovery, such as “hot site” and “cold site” locations, re-entering original premises, identification of disaster recovery internal team, and all other related issues.
If your organization does not have these documents or procedures in place, it’s time to engage in a pre-SAS 70 audit with a SAS 70 “Readiness” assessment. In doing so, you are ultimately saving time, money, and valuable resources within your company. The Next Step
Communicate with your auditor immediately and notify them that there are deficiencies within your current business model. Identify these weaknesses and ask your auditor how they can assist in developing and putting in place structured processes and procedures. Demand an upfront fee for SAS 70 “Readiness” and inquire of the timeframe for completion.
Shown here on Fourspiral’s Web site courtesy of Tidwelldewitt
, tidwelldewitt.com Fourspiral can assist you in Africa for Preparation for undertaking SAS 70 Audit. Good preparatory work will significantly reduce the time it takes to successfully pass an audit of this nature.