Jim Kaplan'saudnet.gif (4937 bytes)


Accounting Procedures for Internal Control

AuditNet Ask the Auditor

Google
  Web www.auditnet.org   

If you are restricted to one day at the field site, I would want to

1. Read the SAS 70 before the site visit. If my recollection is correct, I believe it probably should be a type II SAS 70 which is much more comprehensive. See http://www.sas70.com/ The SAS 70 web site probably explains the difference between a type I and type II SAS 70.

2. Prior to your site visit send some email questions to each key person for:
A. Computer Security -- for example, monitoring and reporting activities
B. Contingency Planning -- for example, describe their activities
C. Change Management -- for example, describe their key change management controls and their monitoring activities and maybe
D. The key administrator for the servers -- for example, monitoring and administrator activities that give the server administrator comfort in data integrity

3. The right questions via email and their answers should tell you if one area seems to be a problem area. My guess is that 5 to 10 good questions for each one of those should help you assess the strengths and weaknesses.

4. Schedule a site meeting with each of these people, or even meet with all 3 at the same time. Make a telephone call to each of them in which you discuss the earlier questions and let them know when you will be on site and tell them that you will want to meet with them.

5. Take a 30 minute data center tour after arriving on site prior to your meetings.

6. Next, have your meeting or meetings.

7. A seasoned auditor might know by this point if any testing needs to be done, and if so, which area should be tested. A SAS 70 type II review should have noted any likely problems.

8. I believe that your key objective is just gaining a reasonable comfort level that the areas noted in 2 above are operating in a good manner. By the time you complete the steps above, you should have a good feel. The toughest parts of your task are likely to be:
A. reading and assessing the SAS 70 review
B. creating the subject matter questions to send via email,
C. assessing their answers,
D. observing & quickly assessing the situation on your data center tour,
E. having good questions for the people with whom you meet,
F. evaluating their answers,
G. determining what to do after you have conducted the previous steps

Best of Luck,
Tom Crouch
CPA, CIA, CISA, & Attorney
an auditor in Kentucky

Revised: January 14, 2008