>> Hugh, can you clarify this a bit?
>
Oh NO! I professed my ignorance first so you have to answer my
questions before you get to ask any.
> Date: Mon, 5 Feb 2007 17:08:37 -0600
> From: "Allen, Doug" <[log in to unmask]>
> Subject: Re: SAS 70 Type 2 Audits Statements
>
> Hugh, can you clarify this a bit? As I understand it, SAS 70 focuses
> primarily on the services companies that handle financial
> transactions,
> and not so much on those who merely provide Records Management
> services.
It is my belief that all corporations have to provide the SAS 70 as
part of their Sarbanes Oxley requirements and the Type 2 is for those
who provide services to them. (This is why we are seeing some
companies trying to go back private to avoid the compliance costs.
Some are finding this then sends up Red Flags that they might have
something fishy going on that they can't comply.)
In addition, for companies to be truly compliant, companies that are
involved in their total financial package have a requirement to
comply with SOX as well. Some corporations are asking that their
major suppliers adhere to it as well. This happened with ISO 9000 as
well. For you to be compliant, your vendors and service providers
had to comply with ISO 9000 or so everyone thought at the time.
> Additionally, there are weaknesses within SAS 70, in that the service
> organizations that establish controls and request such audits are in a
> position where they may be encouraged to avoid setting controls in
> areas
> where they lack the ability to demonstrate performance against
> standards, and are measured only against those controls that they
> profess to have in place.
This is exactly what is happening with the Type 2 as companies
develop a package of low benchmarks and then claim compliance. If
you don't read their Type 2 and then some disaster happens and they
have clearly told you that they provide absolutely no protection, no
insurance coverage and that they are not to be considered part of
your Business Continuity Plan, then the liability all comes back on
you! They have disclosed their level of performance under the Contract.
> SAS 70 appears to be less "prescriptive" than
> the ISO 17799 standard that lays out specific controls that must be in
> place for data security.
I totally agree that ISO 17799 is a better Standard for specific
controls for Data Security and that the Type 2 should state they
comply with these more rigid guidelines. But if you have not
requested a copy of the Type 2 from your vendors then you have
already opted out of this increased level of performance. Right?
> Any thoughts on that? (on the lack of specificity of SOX and the
> SAS 70)
They are leaving it open ended to be added onto over time. For
example Rule 26, ESi and more will follow. They they can refer to
17799 if they like or if something better comes along they can change
to that.
> For those who have in interest in seeking SAS 70 type 2 Audit
> Statements, there is a cost associated with the audit that is "not
> trivial"... perhaps in the area of $ 300,000 minimum. Those are
> inevitably passed on to end-users through a service company's pricing
> structure.
If you are a billion dollar service company then this is the price
you pay to play the game. Although I have not heard these types of
quotes. Maybe for Iron Mountain or Recall or Evault or other
extremely large companies in the records management field. It has
to do a lot with the size of the company being audited. I am asking
an accountant friend of mine to answer your questions more accurately
but the issue of.........
> there is a cost associated with the audit that is "not
> trivial"... perhaps in the area of $ 300,000 minimum. Those are
> inevitably passed on to end-users through a service company's pricing
> structure.
I am not criticizing you but your question open an old wound. I am
weary of this type of comment coming from anyone in records
management. You have a job to do. Nowhere in your job description
should it say, you are worried about cost. You are worried about
protecting the livelihood of the corporations records and therefore
its financial well being. You are an extension of internal audit. If
the company that serves you does not have and is not required to
provide a Type 2, then they should provide some Certification of SLA
for you. What do you get for what you pay for?
A whole bunch of companies in London wanted cheap storage and they
got it. What they don't have today is the records they paid to store
and protect offsite. Why is that? What did they overlook?
Records managers need to focus! A few years ago everybody sought out
low cost contracts and failed to read the contracts they signed and
now the whole industry suffers under billions of dollars of "Hostage
Fees". Any records manager that allowed those into their contracts
are culpable. What an embarrassment for our industry to allow
someone to come in and hold us hostage. And what I heard was "Oh,
there is a cost associated with waiving that from our contract."
Back then the fee was $3.00 at most. Now we hear fees of $10 and
$15.00 per box.
If I was records manager of a company I would step in and have those
hostage fees removed from the contract immediately. Simply have your
law firm send a letter telling them you will take them to Federal
Court on claim of "Restraint of Trade" and they back down every
time. One records storage vendor was silly enough to allow
themselves to be dragged into court and the judge threw out the
Hostage Fees. Now a precedent has been set.
> Finally, I do know of a major outsourcing firm that has undergone
> an SAS
> 70 Type 2 Audit....but while using that as a good advertising tool,
> they
> often fail to provide end-users with services that meet RIM and end-
> user
> requirements that allow them to quickly FIND records.
This vendor should be forced to provide you or their clients a copy
of this document. It was done to provide a documentation on what
they really deliver. I bet if you could read the document that the
service they are providing is exactly what they planned to offer and
they are fine with their plan. If you read the Type 2 plan and
discovered they did not meet your needs, then you could act
accordingly. You could claim their service level commitment is in
breach of what your SLA required and move on.
> Specifically,
> that firm provides outsourced accounting services to major publicly
> held
> firms in the private sector, provides "scanning services" in
> conjunction
> with those accounting services, but then fails to provide an index to
> scanned records (such as Accounts Payable documents) that go beyond
> the
> date of actual scanning.
>
> Can one imagine a firm advertising its great controls providing
> scanning
> services where your only access to scanned records was to guess
> correctly which date it was on which they scanned the records, without
> regard to the vendor, the original purchase order, etc.?
>
> Douglas P. Allen, CRM, CDIA+
That is amazing. But were they asked to provide indexing? This
sounds like a real mess.
I would love to read what their Type 2 described in this area? But
maybe the client asked them to scan it and to save costs failed to
ask for any index. This might be the client's fault?
But back to my original question, has anyone in our group asked for
and received a copy of the Type 2 for their companies vendors? If
you are using any of the very large records storage companies, they
have done them because their largest clients demanded they provide
it. So it is available and your audit department should have a
copy. You should read it to see if there are any surprises.
The conversations today on CIO adds RM NOW: Convergence of RM and IT
are proof that RM's are rapidly moving into a good position with
regard to IT. We must be on top of these new issues.
If you work for a super large company then your vendor is probably a
very large vendor and then asking for a Type 2 is not out of the
question. It is either available or it is not. The crime is in
having it available, and failing to review it from your department's
point of view.
If some incident like London happens and your boxes and media are all
gone in one catastrophic event, your failure to know what your SLA
was really providing will be viewed as negligence. Auditors stick
them in a drawer as they do not understand the rapidly changing world
of IT and RM.
Imagine the CFO's surprise when you ask for a meeting to review
deficiencies in the SLA as described by the Type 2. This might be
the type of meeting that the Risk Manager, Auditor, Legal and IT all
sit around a table and really develop a Business Continuity Plan that
means something.
I am guessing from the lack of replies that few have even asked to
see the Type 2 from their vendors.
As soon as my accounting expert replies back to me with his answers
to your questions, I will forward them on to you.
Hugh Smith
FIRELOCK Fireproof Modular Vaults
[log in to unmask]
(610) 756-4440 Fax (610) 756-4134
WWW.FIRELOCK.COM
List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
|