SAS70 expert at MediClick joins panel at RTP Exchange event
WRAL Local Tech Wire’s first Exchange event for 2009 is next Thursday and will explore HIPAA, PCI regulations and SAS 70. Tony Verdone, vice president of development and operations at MediClick, will share his expertise on how SAS 70 regulations are impacting today’s business environment.
The event is scheduled for Feb. 5, from 11:30 a.m. to 1:30 p.m., at Bay 7 in the American Tobacco Campus in downtown Durham.
Click the link to the right for event and registration information.
SAS 70 is an acronym for Statement on Auditing Standard 70. The American Institute of Certified Public AccountantsIt developed and maintains it.
Specifically, SAS 70 is a "Report on the Processing of Transactions by Service Organizations." It sets professional standards for a service auditor that audits and assesses internal controls of a service organization. At the end of the audit, the auditor issues a Service Auditor's Report.
It should be noted that SAS 70 is not a barebones checklist audit. It is an extremely thorough audit that is used chiefly as an authoritative guidance. In today's market, it is a very helpful and substantial audit that shows transparency to the businesses that a service organization works with.
A common perception is that compliance and regulatory issues only pertain to large public companies. Would you agree with that statement?
Considering the SAS70 standard, it is true that public companies are subject to the Sarbanes-Oxley Act of 2002. One may infer that privately held SaaS (Software as a Service) companies can “dodge the bullet” and avoid independent audits. However, many of these companies provide financial services for public companies, and their auditors require that service providers either deliver a SAS 70 audit or be prepared to entertain auditors appearing on their doorsteps. In today’s environment, with so many problems involving frauds and security leaks, it is critical that a company show its commitment to proper controls in managing customer data and application and system software. So, while I agree it’s a common perception, it’s an incorrect one.
You recently took your company through a SAS70 Audit. Why was it important for your company to be certified?
We provide supply-chain management, financials, and contract management systems for health care organizations. Even though we were incorporated in 2000, MediClick is an offshoot of Global Software Inc., a company that has been building package software since the 1980s. Our management team, software developers, support staff, network engineers, and consultants have extensive experience in running a software company.
Our customers are primarily non-profit hospitals. Since our inception, we have seen an increase in auditors from hospitals asking about our SAS 70 audit. Initially we supplied the SAS 70 audit from our hosting site, Savvis Inc. This satisfied our hospital auditors at first. Subsequently, however, more auditors became interested in MediClick’s operations. They wanted to know how we manage source code and customer data. We also have experienced considerable growth and are now working with major IDNs (Integrated Delivery Networks). These IDNs aggregate multiple hospital systems via mergers and alliances and require SAS 70 complaint software providers. Based on these factors, we decided that the time was right to pursue a SAS 70 audit. Additionally, we felt we were well prepared for the audit since most MediClick staff have been involved in software development and deployment since the 1980s. Also, our existing processes were well defined for an audit. In March 2008, McGladrey and Pullen performed our readiness assessment, and in July through December, performed the audit. I am proud to state we did not receive any exceptions in our audit.
Are there specific compliance issues that impact MediClick?
Our first task was to identify any compliance issues that we might have had. For this task, the SAS 70 readiness assessment was invaluable. The readiness process identifies compliance issues that need to be resolved in order to obtain satisfactory results in an audit. Our auditing firm (McGladrey and Pullen) worked with us in identifying these issues, and collaborated with us on resolutions based on best business practices. Our auditors understood the software business and were instrumental in helping define our control objectives.
We encountered several issues that required us to enhance our product suite. We improved the methods that we use to capture changes in critical fields of the customer database. We then made these changes visible to our customers and to MediClick support. Another issue was the single MediClick sign-on used by our customer support team to access and sign on to a customer database. This was completely unacceptable to the auditors. Therefore, we improved this situation by providing unique user IDs for each MediClick person accessing a customer database. The enhanced logging that resulted has been well received by our customer base and has assisted in problem resolution for both customer and technical support.
Since a SAS 70 Audit is far sweeping, we even reviewed and updated our physical security systems. For example, our badge system - running on a Windows 95 computer (aka Crash Davis from Bull Durham) - was completely outdated. We couldn’t even produce a report for the auditors on who accessed what part of the MediClick premises. We have subsequently updated our badge system and can now provide full audit reports as well as easily identify badge users and badge usage.
How has or will this change the way that you do business?
Actually, our goal was not to affect our business in any detrimental way. There is little value in improving controls if it will prevent you from meeting your business goals. The challenge to the management team was to have a successful audit and not adversely affect how we do business. That may appear as an oxymoron, but it was an objective we had to meet. As I have mentioned, we are a team of experienced IT professionals. We have been running a successful business maintaining customer data, handling source code control, and managing 24/7 applications for more than 200 hospitals. In the final analysis, the way we do business has not changed much. However, we are much more proactive in managing our physical and logical security. We apply more due diligence in monitoring systems and compliance. We have developed reports that we run on a monthly basis to list any exceptions to our manual help systems. We have utilized Sharepoint as a central repository for documentation; alerts (and responses to alerts), process flows, and human resource documents. There is some pain in managing passwords and more documentation required in the CRM system. But the bottom line is the SAS 70 audit process has made us a better company.
The expert panel at next week’s Exchange event will be moderated by Susan Kellogg, CIO & Associate Dean of Information Technology – Kenan-Flagler Business School. Along with Verdone, other keynote panelists include Don Clow, CTO at Hosted Solutions; and Harry Reynolds, Vice president and Information Compliance Officer at BlueCross BlueShield of North Carolina.
The RTP event is sponsored by Hosted Solutions, InCentric Solutions, Kenan-Flagler Business School, Scale Finance, North Carolina Technology Association (NCTA), Council for Entrepreneurial Development (CED), and BIG Council.
Due to overwhelming response to this initial event, we have added a second date in Charlotte on Feb. 18.
Once again the event will run 11:30 a.m. to 1:30 p.m., at Byron’s South End, and will feature an expert panel discussion moderated by Dan Manley, Senior Manager at KPMG Information Technology Advisory Services. Additional panelists include Patty Brandow, Senior Director of Internal Control Compliance at Time Warner Cable; Keith Haskett, Vice President of Operations with ATTUS Technologies, Inc.; and Gideon Rasmussen, Vice President of Merchant PCI Compliance at Bank of America.
The Charlotte event is sponsored by CED, Hosted Solutions, InCentric Solutions, Kenan-Flagler Business School, and NCTA.
The cost for each event is $20.
Featured
E-mail Preferences
