LISTSERV - RECMGMT-L Archives - LISTSERV.IGGURU.US

RECMGMT-L Archives

Records Management

RECMGMT-L@LISTSERV.IGGURU.US

	LISTSERV Archives
	RECMGMT-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Forum View Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: SAS 70 Audit
From:	Angie Fares <[log in to unmask]>
Reply To:	Records Management Program <[log in to unmask]>
Date:	Mon, 29 Nov 2010 18:35:27 -0600
Content-Type:	text/plain
Parts/Attachments:	text/plain (61 lines)

If any alternate certification is accepted in lieu of a SAS-70 Audit,
then our Internal Audit gets to make the call on whether they are
comparable substitutes.  We would request copies of the audit report to
determine whether the criteria met our requirement for determining
whether the amount of residual risk was acceptable.

Personally speaking as a certified information systems auditor, an
SAS-70 does not relieve the vendor of any obligations, nor does it
release me from performance of due diligence.  It just helps me, as a
client, determine whether or not controls exist and have been certified
by an independent third party.  I have to review the audit work papers
or at least an audit findings report in order to determine whether I can
rely on the work performed as part of my vendor assessment.  However, I
always feel that additional independent testing should be performed by
me, the client, no matter how many awards, certifications, or audits the
vendor waves under my nose.



-----Original Message-----
From: Records Management Program [mailto:[log in to unmask]] On
Behalf Of Larry Medina
Sent: Monday, November 29, 2010 2:53 PM
To: [log in to unmask]
Subject: Re: SAS 70 Audit

On Mon, 29 Nov 2010 , Angie Fares <[log in to unmask]> replied:

>If an SAS-70 Audit has not been performed, then we would look for an 
>alternative certification that indicates informed independent third 
>party review of control processes in the service provided.  For 
>example, if a shred provider did not have a SAS-70 Audit on file, then 
>I would ask for NAID certification.
>

I think it would be critical to find out what NAID "certified against". 
They have their own practice documents but they aren't 'standards', so
is it really a 'certification' or simply a review?  

Does it relieve you as a service provider to a client of any
obligations? 
Would they (in this case, NAID) be willing to go to the mat for your
client if there was a problem?

SAS-70 is pretty strict in its criteria, so I don't know if you can
really accept "SAS-70 Lite" in lieu of the real deal.

Larry
[log in to unmask]

List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance To unsubscribe
from this list, click the below link. If not already present, place
UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]

List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]

ATOM RSS1 RSS2

LISTSERV.IGGURU.US