SAS70 Control Activity Pains

The company I work for is in our second attestation period.  The first time was very painful and a lot of extra work, but only a 6 month audit period.  This time we’re under a 9 month audit!  It is very taxing to keep on your toes that much, for that long.
During our first period we learned a lot about how we had written our Control Activities to support our Control Objectives.  We were at times too specific on our CA wording and backed ourselves into a corner more than once.  Luckily we did not have any major exceptions and gained a favorable audit opinion which was quite a milestone for our small company.

The single biggest issue that we found was how we worded the Control Activities.  We made the description specific to the control activity in a way that locked us into that description for the duration of our audit.  This became problematic when we ran into an unforseen issue with how we were then required to do things. If there was a problem, we could not change the CA during the audit period.

This is where my biggest/only recommendation comes in.  Word your CAs so that it refers to a policy/procedure document for how you do things.  That way you can update your document as needed without changing the CA itself.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.