How can a service provider prepare for a SAS 70 audit?
A service provider can do many things to prepare for a SAS 70 audit engagement. Defining control objectives and identifying related control activities is an important step in the SAS 70 audit process. Many service providers will engage a professional services firm with a background in both financial auditing and IT auditing to assist with drafting the control objectives and evaluating the existing control activities. This allows the service provider to determine if any improvements need to be made with respect to the control environment prior to the start of the actual SAS 70 audit. If the service provider has an internal audit department, the internal auditors could also assist with developing the control objectives and documenting the related control activities. Internal audit can also periodically evaluate and test some of the controls that may be tested as part of the SAS 70 audit to determine if improvements need to be made.
