SAS70 Compliance Lifecycle
The SAS70 compliance lifecycle includes the following steps, all automatically enacted by the ProcessGene™ GRC Software Suite:
** SSAE 16 is SAS 70 replacement. The changes made to the standard will bring your company, and the rest of the companies in the US, up to date with new international service organization reporting standards, the ISAE3402. Read more about the SSAE 16 and how to adjust your SAS70 compliance practice to this revised regulation. **
Lifecycle step |
SAS70 activity |
|
SAS70 context establishment |
- Definition of SAS70 compliance related business processes
- Delineation of process diagrams (optional)
- Definition of assets within the SAS70 scope
- Standardization and documentation of SAS70 regulations, policies and procedures
|
|
Risk identification |
- Risk description, identification of risk stakeholders
- Risk classification and determination of heat-maps
- Risk assessment and measurement
- Determination of Key Risk Indicators (KRIs)
- Risk tolerance determination
|
|
Control determination |
- Definition of controls to mitigate identified SAS70 risks
- Assignment of SAS70 control owners
- Scheduling and monitoring SAS70 control execution
- Assessment of residual risk levels
|
|
Requirement management |
- Requirement definition
- Automated requirement workflow management
- Requirement fulfillment monitoring
|
|
SAS70 audit and remediation |
- Definition and scheduling of SAS70 audit plans
- Definition of mechanisms for testing ongoing SAS70 compliance
- Collection, analysis and storage of SAS70 audit results
- Remediation plan definition, execution and follow-up
|
|
SAS70 related incident management |
- Incident recording
- SAS70 related incident handling (using scheduled workflows)
- SAS70 related incident analysis and reporting
- Incident monitoring and follow-up
|
|
SAS70 certification |
- Hierarchal SAS70 certification process determination
- Establishment of an automated SAS70 certification process
- Monitoring and reporting SAS70 certification status
- Archiving SAS70 certification history
|
|
Multi-Org management |
- Determination of a global SAS70 compliance baseline with mandatory components
- Establishing a workflow for examining local (subsidiary) variants
- Enforcement of enterprise guidelines, regulations and frameworks within subsidiaries
- Control SAS70 compliance level both locally (per subsidiary) and globally from a central HQ cockpit
|
|
|
|
The ProcessGene™ SAS70 Software UsersThe ProcessGene™ SAS70 compliance software provides value to the following users:
- C-level management (CEO, CFO, CIO, CRO, COO)
- Board of directors
- Compliance officers
- Internal auditors
- SAS70 compliance managers
Continue to: Related Regulations >
|