RECMGMT-L Archives

Records Management

RECMGMT-L@LISTSERV.IGGURU.US
Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Condense Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Mime-Version:
1.0 (Apple Message framework v752.2)
Sender:
Records Management Program <[log in to unmask]>
Date:
Tue, 6 Feb 2007 14:47:13 -0500
Reply-To:
Records Management Program <[log in to unmask]>
Subject:
Re: SAS 70 Type 2 Audits Statements
Content-Transfer-Encoding:
7bit
In-Reply-To:
<[log in to unmask]>
Content-Type:
text/plain; charset=US-ASCII; delsp=yes; format=flowed
From:
Hugh Smith <[log in to unmask]>
Parts/Attachments:
text/plain (206 lines) 
>> Hugh, can you clarify this a bit?

>
Oh NO!  I professed my ignorance first so you have to answer my  
questions before you get to ask any.


> Date:    Mon, 5 Feb 2007 17:08:37 -0600
> From:    "Allen, Doug" <[log in to unmask]>
> Subject: Re: SAS 70 Type 2 Audits Statements
>
> Hugh, can you clarify this a bit?  As I understand it, SAS 70 focuses
> primarily on the services companies that handle financial  
> transactions,
> and not so much on those who merely provide Records Management  
> services.

It is my belief that all corporations have to provide the SAS 70 as  
part of their Sarbanes Oxley requirements and the Type 2 is for those  
who provide services to them. (This is why we are seeing some  
companies trying to go back private to avoid the compliance costs.  
Some are finding this then sends up Red Flags that they might have  
something fishy going on that they can't comply.)

In addition, for companies to be truly compliant, companies that are  
involved in their total financial package have a requirement to  
comply with SOX as well.  Some corporations are asking that their  
major suppliers adhere to it as well.  This happened with ISO 9000 as  
well.  For you to be compliant, your vendors and service providers  
had to comply with ISO 9000 or so everyone thought at the time.

> Additionally, there are weaknesses within SAS 70, in that the service
> organizations that establish controls and request such audits are in a
> position where they may be encouraged to avoid setting controls in  
> areas
> where they lack the ability to demonstrate performance against
> standards, and are measured only against those controls that they
> profess to have in place.

This is exactly what is happening with the Type 2 as companies  
develop a package of low benchmarks and then claim compliance.   If  
you don't read their Type 2 and then some disaster happens and they  
have clearly told you that they provide absolutely no protection, no  
insurance coverage and that they are not to be considered part of  
your Business Continuity Plan, then the liability all comes back on  
you! They have disclosed their level of performance under the Contract.

> SAS 70 appears to be less "prescriptive" than
> the ISO 17799 standard that lays out specific controls that must be in
> place for data security.

I totally agree that ISO 17799 is a better Standard for specific  
controls for Data Security and that the Type 2 should state they  
comply with these more rigid guidelines.  But if you have not  
requested a copy of the Type 2 from your vendors then you have  
already opted out of this increased level of performance. Right?

> Any thoughts on that? (on the lack of specificity of SOX and the  
> SAS 70)

They are leaving it open ended to be added onto over time.  For  
example Rule 26, ESi and more will  follow.  They they can refer to  
17799 if they like or if something better comes along they can change  
to that.

> For those who have in interest in seeking SAS 70 type 2 Audit
> Statements, there is a cost associated with the audit that is "not
> trivial"... perhaps in the area of $ 300,000 minimum.  Those are
> inevitably passed on to end-users through a service company's pricing
> structure.

If you are a billion dollar service company then this is the price  
you pay to play the game. Although I have not heard these types of  
quotes. Maybe for Iron Mountain or Recall or Evault or other  
extremely large companies in the records management field.  It  has  
to do a lot with the size of the company being audited.  I am asking  
an accountant friend of mine to answer your questions more accurately  
but the issue of.........

> there is a cost associated with the audit that is "not
> trivial"... perhaps in the area of $ 300,000 minimum.  Those are
> inevitably passed on to end-users through a service company's pricing
> structure.

I am not criticizing you but your question open an old wound. I am  
weary of this type of comment coming from anyone in records  
management.  You have a job to do.  Nowhere in your job description  
should it say, you are worried about cost.  You are worried about  
protecting the livelihood of the corporations records and therefore  
its financial well being. You are an extension of internal audit.  If  
the company that serves you does not have and is not required to  
provide a Type 2, then they should provide some Certification of SLA  
for you.  What do you get for what you pay for?

A whole bunch of companies in London wanted cheap storage and they  
got it. What they don't have today is the records they paid to store  
and protect offsite.  Why is that?  What did they overlook?

Records managers need to focus!  A few years ago everybody sought out  
low cost contracts and failed to read the contracts they signed and  
now the whole industry suffers under billions of dollars of "Hostage  
Fees".  Any records manager that allowed those into their contracts  
are culpable.  What an embarrassment for our industry to allow  
someone to come in and hold us hostage. And what I heard was "Oh,  
there is a cost associated with waiving that from our contract."   
Back then the fee was $3.00 at most.  Now we hear fees of $10 and  
$15.00 per box.

If I was records manager of a company I would step in and have those  
hostage fees removed from the contract immediately. Simply have your  
law firm send a letter telling them you will take them to Federal  
Court on claim of "Restraint of Trade" and they back down every  
time.  One records storage vendor was silly enough to allow  
themselves to be dragged into court and the judge threw out the  
Hostage Fees.  Now a precedent has been set.

> Finally, I do know of a major outsourcing firm that has undergone  
> an SAS
> 70 Type 2 Audit....but while using that as a good advertising tool,  
> they
> often fail to provide end-users with services that meet RIM and end- 
> user
> requirements that allow them to quickly FIND records.

This vendor should be forced to provide you or their clients a copy  
of this document.  It was done to provide a documentation on what  
they really deliver.  I bet if you could read the document that the  
service they are providing is exactly what they planned to offer and  
they are fine with their plan.  If you read the Type 2 plan and  
discovered they did not meet your needs, then you could act  
accordingly. You could claim their service level commitment is in  
breach of what your SLA required and move on.

> Specifically,
> that firm provides outsourced accounting services to major publicly  
> held
> firms in the private sector, provides "scanning services" in  
> conjunction
> with those accounting services, but then fails to provide an index to
> scanned records (such as Accounts Payable documents) that go beyond  
> the
> date of actual scanning.
>
> Can one imagine a firm advertising its great controls providing  
> scanning
> services where your only access to scanned records was to guess
> correctly which date it was on which they scanned the records, without
> regard to the vendor, the original purchase order, etc.?
>
> Douglas P. Allen, CRM, CDIA+

That is amazing. But were they asked to provide indexing?  This  
sounds like a real mess.

I would love to read what their Type 2 described in this area?  But  
maybe the client asked them to scan it and to save costs failed to  
ask for any index.  This might be the client's fault?

But back to my original question, has anyone in our group asked for  
and received a copy of the Type 2 for their companies vendors?  If  
you are using any of the very large records storage companies, they  
have done them because their largest clients demanded they provide  
it.  So it is available and your audit department should have a  
copy.  You should read it to see if there are any surprises.

The conversations today on  CIO adds RM NOW: Convergence of RM and IT  
are proof that RM's are rapidly moving into a good position with  
regard to  IT.  We must be on top of these new issues.

If you work for a super large company then your vendor is probably a  
very large vendor and then asking for a Type 2 is not out of the  
question.  It is either available or it is not.  The crime is in  
having it available, and failing to review it from your department's  
point of view.

If some incident like London happens and your boxes and media are all  
gone in one catastrophic event, your failure to know what your SLA  
was really providing will be viewed as negligence.  Auditors stick  
them in a drawer as they do not understand the rapidly changing world  
of IT and RM.

Imagine the CFO's surprise when you ask for a meeting to review  
deficiencies in the SLA as described by the Type 2.  This might be  
the type of meeting that the Risk Manager, Auditor, Legal and IT all  
sit around a table and really develop a Business Continuity Plan that  
means something.

I am guessing from the lack of replies that few have even asked to  
see the Type 2 from their vendors.

As soon as my accounting expert replies back to me with his answers  
to your questions, I will forward them on to you.

Hugh Smith
FIRELOCK Fireproof Modular Vaults
[log in to unmask]
(610)  756-4440    Fax (610)  756-4134
WWW.FIRELOCK.COM





List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance

ATOM RSS1 RSS2