Being a software company providing an application in a hosted SaaS model to very large companies (Fortune 1000), we knew it was only going to be a matter of time before one of them required us to undergo a 3rd party audit. Well, the time finally came and we are currently working on our first SAS 70 Type II audit. For those of you not familiar with this audit, it’s really just checking that you have appropriate controls and documentation in place, and more so that you’re doing what you say your are doing, not requiring you to do certain things. So it’s really all about formal processes and documentation.
For those of you who have worked at small companies, you know formalized processes and documentation are not that common, and we were no exception. So while we were currently doing pretty much everything that was required, almost none of it was documented to the extent the auditors wanted to see or as formal as they wanted to see. Luckily, the company we contracted to perform the audit did a “pre-audit” or evaluation, where they basically come in and review our current operations and let us know what kind of things we had to improve on in order to make it through the audit successfully. They also provided sample lists of things they would also for when they came back to actually perform the audit.
Obviously, this process has driven quite a bit of change around here in many ways. Hiring processes have changed and become more formal, many applications we use have changed, we needed to implement a much more structured and documented software development lifecycle, and much more. Probably one of the most difficult issues for us became the requirement for separation of duties. For example, someone that can develop and compile code cannot be the person to release new versions into production. Yes it makes perfectly good sense as if they can release new versions into production they can basically release whatever they want. However, being a small company where we all wear many different hats, this was quite a pill for us to swallow.
Over the next couple days and/or weeks I will continue with some posts about some of the items we had to address and the solutions we came up with. From the solutions, you will probably notice that we are big fans of open source software and even bigger fans of FREE open source software. While we’ve been able to stick with a lot of open source software, we’ve had to shy away from some of the FREE software since a lot of it didn’t provide the level of reporting required for the audit. But all in all, it works out for the best as we usually had to spend more time (which we all know is almost always more expensive than a software license) configuring and customizing the FREE solutions than some of the other solutions out there.
I’d also be interested to hear from other small business IT managers out there who have had to undergo a SAS 70 or similar audit and about some of the issues you faced and solutions you found as well.