Twitter

Regulatory Compliance Assessments

SAS 70 Solutions performs reviews of IT and operational controls based on regulatory requirements and frameworks.  The following are examples of statutes and requirements that can be evaluated against:

  • Drug Enforcement Administration (DEA) Electronic Prescriptions for Controlled Substances
  • The Fair Credit Reporting Act (FCRA)
  • The Federal Trade Commission (FTC) Standards for Safeguarding Customer Information
  • The Federal Information Security Management Act (FISMA)
  • The Gramm Leach Bliley Act (GLBA)
  • The Health Information Portability and Accountability Act (HIPAA)
  • Health Information Technology for Economic and Clinical Health (HITECH) Act
  • The North American Electric Reliability Council (NERC) Critical Infrastructure Protection (CIP) Requirements
  • The Sarbanes-Oxley Act (SOX)
  • Securities and Exchange Commission (SEC) Custody of Funds by Investment Advisers Rules
  • Various state laws and requirements

It is worth noting that some regulatory control requirements may be met by through commonly accepted assurance and compliance frameworks such as SAS 70 audits, SysTrust certification, or Agreed-Upon-Procedures.  Please contact us to discuss what type of assessment and report would be most appropriate for you. 

Scoping

The scope of the review can be an entire enterprise, a specific business unit, or domain of focus. In general, the scope should align with systems and processes that must adhere to the regulatory requirements.  Many statues have reference standards of practice that can be utilized to conduct the assessment.  Examples include: the Federal Financial Institution Examination Council (FFIEC) IT Audit Manual, COBIT, National Institute of Standards for Technology (NIST), and ISO 27002.

Deliverables

The primary deliverables for regulatory compliance reviews include:

  • Detailed project plan for the assessment
  • Comprehensive information request list allowing the organization’s personnel to gather documentation in advance of fieldwork
  • Benchmarking report indicating areas of compliance, non-compliance, and prioritized recommendations for ”gaps” from the standard
Who Should Consider an Regulatory Compliance Review?

The following are characteristics of the ideal candidate for regulatory compliance review services:

  • Any organization, business unit/division, or product line that knows it needs to comply with a particular regulatory requirement, but may not understand the control requirements
  • Any organization, business unit/division, or product line, that seeks to benchmark its operations against controls (or control frameworks) mandated by regulatory requirements

Disclaimer:  SAS 70 Solutions neither a law firm, nor are our auditors regulatory auditors.  Our assessments are not designed to substantiate compliance with any particular regulation but are are aimed at helping organizations understand IT and operational control requirements mandated by statute and regulation.
Back to Top