Methodology and Approach
ETSec's SAS70 Assessments include procedures necessary to obtain reasonable assurance about whether (1) the description presents fairly, in all material respects, the aspects of your organization’s controls that may be relevant to a user’s internal control; (2) the controls included in the description were suitably designed to achieve the control objectives specified in the description, if those controls were complied with satisfactorily and user organizations applied the internal controls contemplated in the design of your organization’s controls; and (3) such controls had been placed in operation as of the end of the examination period.
These assessments are performed in accordance with standards established by the American Institute of Certified Public Accountants (including SAS70), and include those procedures considered necessary in the circumstances to obtain a reasonable basis for rendering an opinion. Following ETSec's engagement, an Executive Report will be issued on controls placed in operation.
ETSec's Executive Report also includes tests of operating effectiveness. The opinion states that the controls that were tested, unless exceptions were noted, were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives specified were achieved for the specific software release.
ETSec's SAS70 Service Auditor’s Areas of Review:
- IS security assessments
- IS operational and efficiency reviews
- Strategic information systems and technology planning
- Needs assessment studies
- Hardware/software selections
- Contract negotiations
- Implementation planning
- Project management
- Business continuity planning
- Telecommunications consulting
- Profit improvement studies
- Regulatory compliance assistance
- Business process reengineering
- Workgroup technology consulting (e.g., Lotus Notes)
