ISO 17799 and SAS 70 Compliance
Anna02
3 Posts
I am looking for information pertaining to compliance and the regulations in HR.
Which resources have you found most helpful and can you point me in the right direction for obtaining this information.
I did a search on this with no luck.
Comments
Hi Ana -
A great description of ISO 17799 can be found at http://www.17799.com/papers/iso17799scope.pdf
SAS 70 engagements are detailed examinations of the internal controls over the policies and procedures of service organizations. The examination covers both operating and information technology controls. User organizations (customers of service companies) or the auditors of user organizations typically require the SAS 70 reports. More companies are taking the initiative to have a SAS 70 engagement performed for internal assurance and as a means to differentiate their service. Only an independent certified public accountant (CPA) firm can perform a SAS 70 audit.
One of the most effective ways a service organization can communicate information about its controls is through a Service Auditor’s Report. There are two types of Service Auditor’s Reports: Type I and Type II.
A Type I report describes the service organization’s description of controls at a specific point in time (e.g. June 30, 2006). The auditor will perform procedures to obtain reasonable assurance about whether:
•The description of controls, presents fairly, in all material respects, the aspects of the controls that may be relevant to the users’ internal control as it relates to an audit of financial statements
•The controls included in the description were suitably designed to achieve the control objectives specified in the description, if those controls were compiled with satisfactorily, and the user applied those controls contemplated in the design of the Organization’s controls
•Such controls had been placed in operation as of, for example, June 30, 2006.
A Type II report not only includes the service organization’s description of controls, but also includes detailed testing of the service organization’s controls over a period of time. In addition to the procedures performed for a Type I engagement, the auditor will perform tests of the controls supporting the control objectives to determine whether the controls were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives were achieved during the period from, for example, January 1, 2006 to December 31, 2006.
For more info, try
http://www.infosecwriters.com/text_resources/pdf/ISO17799.pdf
http://www.17799central.com/
Sample Audit Report: http://www.pgww.com/ondemand/PGWW%20SAS%2070%20Type%20I%20Version%203.0-Revised.pdf