SAS 70 Project Case Study

Project Requirements (SAS 70 Type II)

dolly box

My fortune 100 employer assigned the task of preparing for their newly initiated annual SAS 70 audit process in addition to my responsibilities as a Data Center Manager. My directive was to ensure that all dedicated and cross-functional IT departments within the Financial Services Division were prepared for and would pass the audit without equivocation.

Jeff's Audit Solution

1. I immediately engaged company leadership and asked that they designate a single point of contact and a backup contact that would represent their respective departments during the audit. This core team consisted of approximately 30 individuals from across the organization.

2. A project plan was created describing in detail the exact information required by the audit. This information would need to be accumulated throughout the year and presented as a final data set during the audit.

3. There were approximately 125 data elements required by the audit and an additional 50-70 less formal requests for information.

4. As a team we reviewed the data elements in detail. Test data were produced and analyzed for audit readiness. As necessary, procedural changes were initiated after the appropriate discussions, approvals, and implementation steps were performed to capture the needed information.

5. The data was then re-reviewed until the content was determined to be audit-ready by the team.

6. Random data samplings were conducted to simulate an auditor’s actions and the test results were reviewed for readiness. Again, where appropriate, internal departmental procedures were altered to ensure that over a one-year time span the department was able to conduct its primary mission without unnecessary disruption and accumulate the data necessary to pass the audit.

7. Once the initial set-up and procedural alterations were completed I called health-check meetings throughout the year to ensure that departments were tracking according to plan and made course corrections where necessary. Results were forwarded to senior management for review and commentary.

8. At the time of the audit an executive kick-off meeting was scheduled as well as auditor and departmental meetings to begin extracting the information requested by the auditors.

9. For approximately three years, all auditor-requested information was first routed to me for inspection, presentation readiness and overall completeness. Performing this pre-inspection enabled me to track the detailed status of each data element being requested by auditors including: Request priority, status, produced-by, date completed, etc. It was apparent at this stage of audit readiness that a single point of contact model be utilized. It seems that no matter how prepared a department is there is always an element of fire-fighting that occurs and it is very beneficial to have one individual resolving problems and delivering a consistent message to the auditors. Auditors that perceive a problem, either true or imagined, tend to develop tunnel vision on a singular topic resulting in a trying and undesirable event for an IT organization.

10. In cases where auditors would be conducting real-time tests I attended the test to monitor the dialogue and evaluated the internal resource’s ability to manage the auditor. As needed I coached these resources to smooth out bumps and stay focused on the subject matter at hand. For example, our job in IT is to address the specific auditor requests for the specific dates specified. We are to provide nothing more and nothing less than the requested information.

Conclusion

The above example of audit preparedness and project management describes the high-level new set up of a corporate process within a local, dedicated IT support structure. Over the course of seven years, the corporation evolved from a dedicated business and IT support model to a geographically dispersed cross-functional support model. This evolution represented significant risk to our audit preparedness. Newly-formed departments became involved, new management structures were implemented and geographical proximity introduced challenges to be overcome.

My responsibility was to ensure that during this transition the newly introduced risks were appropriately mitigated and business continued as usual. The transition from a dedicated support model to a cross-functional model was also a project I managed for the same company. As a Transition Manager and owner of the audit process, the project addressed audit preparedness in great detail.