Hugh, can you clarify this a bit? As I understand it, SAS 70 focuses
primarily on the services companies that handle financial transactions,
and not so much on those who merely provide Records Management services.
Additionally, there are weaknesses within SAS 70, in that the service
organizations that establish controls and request such audits are in a
position where they may be encouraged to avoid setting controls in areas
where they lack the ability to demonstrate performance against
standards, and are measured only against those controls that they
profess to have in place. SAS 70 appears to be less "prescriptive" than
the ISO 17799 standard that lays out specific controls that must be in
place for data security.
Any thoughts on that?
For those who have in interest in seeking SAS 70 type 2 Audit
Statements, there is a cost associated with the audit that is "not
trivial"... perhaps in the area of $ 300,000 minimum. Those are
inevitably passed on to end-users through a service company's pricing
structure.
Finally, I do know of a major outsourcing firm that has undergone an SAS
70 Type 2 Audit....but while using that as a good advertising tool, they
often fail to provide end-users with services that meet RIM and end-user
requirements that allow them to quickly FIND records. Specifically,
that firm provides outsourced accounting services to major publicly held
firms in the private sector, provides "scanning services" in conjunction
with those accounting services, but then fails to provide an index to
scanned records (such as Accounts Payable documents) that go beyond the
date of actual scanning.
Can one imagine a firm advertising its great controls providing scanning
services where your only access to scanned records was to guess
correctly which date it was on which they scanned the records, without
regard to the vendor, the original purchase order, etc.?
Douglas P. Allen, CRM, CDIA+
-----Original Message-----
From: Records Management Program [mailto:[log in to unmask]] On
Behalf Of Hugh Smith
Sent: Monday, February 05, 2007 1:08 PM
To: [log in to unmask]
Subject: [RM] SAS 70 Type 2 Audits Statements
In the Sarbanes Oxley, Rule 25, ESI requirements, I interpret a need
for a Type 2 Audit Statement from the vendors to be provided to the
companies they server in records management and media vaulting.
Some of the offsite storage companies are being proactive in putting
their version of the Type 2 Audit out there. There are two problems
with this: 1) The Auditors receive it and pass it on and no one reads
it. ( I am assuming part of the problem is that it does not flow down
stream from Audit and Legal to the records managers who can determine
if what is being provided really works.
2) The proactive companies providing the Audit Statement requirement
are not really adhering to any high level of performance but are
merely stating what they offer with no caveat of protection just
storage.
So my question to you is: Have any of you seen a Type 2 Audit
Statement from a vendor? Have any of you read it? Have you commented
back to Audit about any concerns you have, based on your needs?
I believe that a Records Manager has the right to request these from
their service providers in the offsite arena. Has anyone done so?
Hugh Smith
FIRELOCK Fireproof Modular Vaults
[log in to unmask]
(610) 756-4440 Fax (610) 756-4134
WWW.FIRELOCK.COM
List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
|
