Recently there has been a marked increase in the demand for SAS 70 audits. This is primarily being driven by the surge of regulatory compliance legislation, coupled with the growing corporate governance initiatives that have been unleashed in the last decade. While many people point to the Sarbanes-Oxley Act of 2002 (SOX) as the prime reason for the rise in SAS 70 audits, other federal legislation, such as HIPAA and Gramm Leach Bliley Act (GLBA) have had a considerable impact also.
Ask ten people what a good definition of HIPAA is and you are likely to get ten different answers. To be fair to these people, HIPAA is a long, vague and cumbersome piece of legislation with many disjointed moving parts. It's hard to really get a good grasp on it, but this is what you need to know as it's related to SAS 70 audits. The HIPAA security guidelines and many other ancillary initiatives within this piece of federal legislation advocate protection of private consumer medical records along with industry accepted technology protocols for transmitting, protecting, and storing consumer medical information. That's where SAS 70 audits come in. Long used as the default audit for examining an organization's internal controls, SAS 70 audits have become a favorite go to audit for ensuring compliance with HIPAA legislation as it pertains to the privacy and confidentiality issue of consumer medical records. As technology has changed dramatically over the years, its very use has created a need for ensuring confidential medical information is just that-kept confidential and protected. SAS 70 audits, when performed properly, can examine an organization's internal controls, which can also include the safeguard controls that are to be in place for adhering to HIPAA standards. No, SAS 70 is not a technology audit, nor is it an operational audit-rather, it can be considered a little bit of everything as it touches many areas within an organization that use technology as part of their internal control structure.