What are the primary differences between a SAS 70 audit and the host of security assessments provided by IT consultants?
Because of the unique nature of what is allowed to be included in a SAS 70 report, auditors have implemented an exhaustive list of policies, procedures and related controls that must be examined for this type of engagement. Therefore, what makes this type of audit superior to any other type of internal control review is quite simply the scope of the engagement and the voluminous amount of information included in the final service auditor’s report. While IT security consultants focus primarily on general and application controls when conducting their assessments, SAS 70 auditors emphasize these features, and many more, such as operational and Human Resource issues, along with physical security guidelines and business continuity plans in the unlikely event of a business interruption disaster. In essence, the greater the scope, the more meaningful and useful the document is. And this is what makes SAS 70 superior to any other internal control review procedure.
