ITIL : While some companies utilize the SAS 70 audit to promote….

ITILITIL : While some companies utilize the SAS 70 audit to promote….

12 SAS 94 In 2001, SAS 55 was amended by SAS 94 [95], titled “The Effect of Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit”.

SAS 94 obliges the financial statement auditors to place an increased focus on the increasing role of information technology on meeting financial reporting objectives.

Given this change, SAS 70 reports are now placing similar emphasis on information technology’s role in the control environment of service organizations.

This helps to ensure that the SAS 70 report contains all of the information required by user organization auditors. SAS 109 In 2006, SAS 55 was superseded by SAS 109 (codified as AU 314 [2]) which provided an expanded theory regarding an auditor’s responsibility to understand the entity under audit including the information systems employed by the entity under audit among other items.

This understanding is to be used in determining certain risks associated with the financial statements and audit. Changing uses of the SAS 70 Over the last few years, the use of the SAS 70 audit has migrated to be used in non-traditional ways.

Companies in the financial services industry are being required to show adequate oversight of service providers, such as obtaining a SAS 70 review conducted to comply with Gramm-Leach-Bliley Act (GLBA) requirements.

Service organizations which provide services to healthcare companies are often asked by their clients to have a SAS 70 audit conducted to ensure an independent third party has examined the controls over the processing of sensitive healthcare information.

While some companies utilize the SAS 70 audit to promote themselves in the “Other Information Provided by Service Organization” section, the more appropriate application is to utilize properly modified objectives from internal control framework(s) appropriate to their industry and company; such as COSO, COBIT for SOX, ISO, ITIL, BITS, or the AICPA’s Trust Principles (which are specifically applicable to SysTrust or WebTrust services). Users of SAS 70 audit reports User auditor Traditionally, service auditor reports are primarily used as auditor-to-auditor communication.

The auditors of the service organization’s customers (i.e.

User auditors) can use the service auditor’s report to gain an understanding of the internal controls in operation at the service organization.

Additionally, Type II service auditor reports can be used by the user organizations’ auditors to assess internal control risk for the purposes of planning and executing their financial audit. Other third parties external to service organizations Service auditor reports are growing in popularity and are being used by customers, prospective customers and financiers to gain an understanding of the control environment of outsourcing companies.

In some cases, these third parties are not intended users of the report, but still find value in using the report as third party independent verification that controls are in place and are operating effectively.

Unless the report is noted for restricted use only by the CPA firm, the service organization retains control of distributing the report.

Every Service Auditor’s report contains an auditor’s opinion letter.

The opinion letter is required to contain a paragraph that defines the authorized user of the report.

On rare occasions, this paragraph is limited to a specific third party, which may or may not be a user organization.

Use of the report is typically restricted to the service organization’s management, its customers, and the financial statement auditors of its customers.

Typically, a statement in the final paragraph states: Statement on Auditing Standards No. 70: Service Organizations This report is intended solely for use by the management of XYZ Service Organization, its user organizations, and the independent auditors of its user organizations. 13 Financial statement auditor of service organization The report is not designed to support the financial statement auditors of the service organization, because the service organization’s own financial reporting IT controls are not the target of a SAS 70 audit.

The environment supporting user organization’s processes is the SAS 70 audit scope.

However, a service organization’s external auditor’s Entity Level Control Considerations may be useful for a SAS 70 report.

Other auditing standards address the appropriate process to obtain client authorizations for auditors of different firms to obtain audit information about a shared client, which may include the sharing of workpapers and reports between the auditors. — The evaluation of a data center is carried out on the basis of a large questionnaire for the four categories: facilitiy, staff, technology and procedures as well as on the basis of a comprehensive inspection by the eco authorised auditors (eAA). Criteria Facilities • • • • • • • • Topics Access control and security Protected zones and fire control Raised floors Position in the building Facility feedings Scalability Structure of the building Cleanliness of the data center Weight 25% Technology • • • • • • • Transformer / Main distribution for medium and low voltage 35% Power supplier AC and DC power supply Emergency power supply, emergency shutdown, lightning protection Air conditioning and air filtration Temperature and humidity Carrier Datacenter star audit 123 Procedure • • • • • • • • • • ITIL conformity Continuity management Existing certifications Access procedure Data security Staff size Multilingual staff Accessibility and availability Qualifications Quality management 20% Staff 20% Performance and fulfillment grades Performance grade 1 ? • • • • • • • • • • • • Basic air conditioning (n)[14] Basic power supply (n) A UPS (perpetual quality power, overvoltage protection, etc.) designed with (n) 5 minutes hold-up time to shut down the operation systems Devices for the detection of fire (smoke alarm) and for fire fighting (fire extinguisher) Architectural separation of the computer room from other spaces by the minimum F30/T30 (German-specific rating system for fire-resistance) Several fire sections in the data center are not necessary Heat dissipation performance: 220-320 W/m² Minimum physical access protection (steel doors/security locks/windowless room or secured window) and a warning system/break-in security Certified staff for the operation of the servers (network technology/operation system) Stable network connection (min. 1 internet access provider, 1 independent network connection) Basic supply routes Evaluation Period: 1 Year • Limited operation because of maintenance: 2 downtimes over 14 hours • Availability of the data center: 99.2% per year • 2-3 outages per year with a downtime of respectively 5 hours[15] Performance grade 2 ?? • • • • • • • • • • • Basic air conditioning (n) Basic power supply (n) A UPS (perpetual quality power, overvoltage protection, etc.) designed with (n) 8 minutes hold-up time to shut down the operation systems Devices for the detection of fire (smoke alarm) and for fire fighting (fire extinguisher) Architectural separation of the computer room from other spaces by the minimum F30/T30 (German-specific rating system for fire-resistance) Several fire sections in the data center are not necessary Heat dissipation performance: 220-320 W/m² Physical access protection (steel doors/security locks/windowless room or secured window) with a mental identification feature and a warning system/break-in security Certified staff for the operation of the servers (network technology/operation system) Stable network connection (min. 2 providers, 2 independent network connections) Datacenter star audit • Basic supply routes Evaluation Period: 1 Year • Limited operation because of maintenance: 2 downtimes over 12 hours • Availability of the data center: 99.671% per year, annual downtime 28.8 hours • 2-3 outages per year with a downtime of respectively 4 hours 124 Performance grade 3 ??? • • • • • • • Air conditioning (n) Redundant power supply (n+1) Diesel generator A UPS (perpetual quality power, overvoltage protection, etc.) designed with (n) 8 minutes hold-up time to shut down the operation systems Devices for the detection of fire (smoke alarm) and for fire fighting (fire extinguisher) Architectural separation of the computer room from other spaces by the minimum F30/T30 (German-specific rating system for fire-resistance) • Several fire sections in the data center are not necessary • Heat dissipation performance: 430-800 W/m² • Process of an individualised authentication (biometrics or mental identification feature) • ITIL process maturation grade 2 (mostly documented and adjusted to the ITIL model) • Physical access protection (steel doors/security locks/windowless room or secured window) with logging and a warning system/break-in security • Certified staff for the operation of the servers (network technology/operation system) • Stable network connection (min. 2 Internet access providers, 2 independent network connections) • Basic supply routes Evaluation Period: 2 Years • Limited operation because of maintenance: 3 downtimes for 12 hours • Availability of the data center: 99.671% per year, downtime 22 hours • 2 outages per year with a downtime of respectively 4 hours Performance grade 4 ???? • • • • • • • • • • • • Air conditioning (n+1) + UPS connection Redundant power supply (n+1) and 2 facility feedings Diesel generator A UPS (perpetual quality power, overvoltage protection, etc.) designed with (n) 8 minutes hold-up time to shut down the operation systems Devices for the detection of fire (smoke alarm) and for fire fighting (fire extinguisher) Architectural separation of the computer room from other spaces by the minimum F30/T30 (German-specific rating system for fire-resistance) Several fire sections in the data center are not necessary Heat dissipation performance: 430-1400 W/m² Process of an individualised authentication (biometrics or mental identification feature) Access to the data center: at least 2 door systems ITIL process maturation grade 2 (mostly documented and adjusted to the ITIL model) • Physical access protection (steel doors/security locks/windowless room or secured window) with logging and a warning system/break-in security • Certified staff for the operation of the servers (network technology/operation system) Datacenter star audit • Stable network connection (min. 2 Internet access providers, 2 independent network connections) • Basic supply routes Evaluation Period: 5 Years • Limited operation because of maintenance: 2 downtimes for 4 hours • Availability of the data center: 99.982% per year, downtime 1.6 hours • 2 outages per year with a downtime of respectively 4 hours 125 Performance grade 5 ????? • Air conditioning (n+2) + UPS connection (n+1) • Redundant power supply (n+2) and 2 facility feedings (n+2 can be realized with a technical circuit and substantiated by service level agreements) • 2 x diesel generator • A UPS (perpetual quality power, overvoltage protection, etc.) designed with a minimum of (n+1) • 20 minutes hold-up time to shut down the operation systems • Devices for the detection of fire (smoke alarm) and for fire fighting (fire extinguisher), VESDA system • Architectural separation of the computer room from other spaces by the minimum F60/T60 (German-specific rating system for fire-resistance) • • • • • • • • Several fire sections in the data center are necessary Heat dissipation performance: >= 1500 W/m² Process of an individualised authentication (biometrics or mental identification feature) Access to the data center: at least 2 door systems Optical turnstile for customer entrance ITIL process maturation grade 4 (completely documented and adjusted to the ITIL model) Documented Procedures (e.g.

With the help of ISO 27001, ISO 20000, ISO 9001) Physical access protection (steel doors/security locks/windowless room or secured window) with logging and a warning system/break-in security • Certified staff for the operation of the servers (network technology/operation system) • Stable network connection (min. 5 Internet access providers, 2 independent network connections) • Supply routes doubled Evaluation Period: 5 Years • No limited operation because of maintenance • Availability of the data center: 99.991% per year, downtime 0.8 h • 1 outage per year with a maximum downtime of 4 h Fulfillment grade In considering the calculated performance grade (%) derived from the questionnaire’s responses and the inspection, the result can be assigned to one of the five fulfillment grades (DC Stars).[16] Datacenter star audit 126 Fulfillment grade 1 2 3 4 5 Percent 35 – 54% 55 – 64% 65 – 74% 75 – 89% ? Stars ?? ??? ????

Read more about ITIL : While some companies utilize the SAS 70 audit to promote….:

Accredited ITIL Foundation, Intermediate and Expert Certifications

Accredited ITIL Foundation, Intermediate and Expert Certifications, Learn more about ITIL HERE:

ITIL and ITIL : While some companies utilize the SAS 70 audit to promote….

ITIL - ITIL : While some companies utilize the SAS 70 audit to promote….

ITIL and ITIL : While some companies utilize the SAS 70 audit to promote….

ITIL - ITIL : While some companies utilize the SAS 70 audit to promote….