June, 2008

SAS 70 Readiness Questionnaire | Kick Start Your Compliance Audit

From a regulatory compliance and corporate governance perspective, SAS 70 Type I and SAS 70 Type II audits are having a deep impact on many organizations. They can be costly, time consuming, if not undertaken in a proactive, efficient manner. If you are a service organization falling under the regulatory compliance microscope, then SAS 70 audits are probably on your radar screen. What’s important to not is that with any audit process, you should have in place a structured, proven methodology for completing the SAS 70 audit. But where do you start? With SAS 70 readiness questionnaire forms and templates, that’s where, that help guide you and your organization in fulfilling the demanding requirements set forth by this type of audit.

SAS 70 readiness questionnaire forms and templates help organizations understand the scope of the audit, what information will be needed for the SAS 70 audit, along with assisting the service organization in identifying any weaknesses or deficiencies in their internal controls.

Moreover, if your organization needs specific sas 70 readiness questionnaire templates for a particular business process because of audit demands, this helps your prepare even more for the audit. For example, if you are a data center and conduct managed services for clients, then a sas 70 readiness questionnaire specific to managed services can be utilized. How about if you are a third party administrator (TPA), you can use a sas 70 readiness questionnaire that discusses plan administration, billing & eligibility and other notable TPA requirements. In essence, the more you can uncover with a sas 70 readiness questionnaire, the more prepared you will be for the SAS 70 Type I or Type II audit.

What is SAS 70? | Learn about Pricing & Audit Scope

SAS 70 Type I and Type II audits have become increasingly important in today’s regulatory compliance arena. Born in 1992, the SAS 70 auditing standard is used to examine a service organization’s internal control environment. In simpler terms, if your organization provides critical outsourcing activities for another company, you may be very well called upon to become SAS 70 Type I or Type II compliant.

SAS 70 Type I audits are for a stated date, while SAS 70 Type II audits are for a time period, traditionally anywhere from six months to a year. Look at the Type I as a snapshot, with the Type II as covering a time period.

There’s been much discussion on pricing and scope for SAS 70 audits, so here’s what you need to know to keep you ahead of the curve for this very important regulatory compliance audit.

Pricing
SAS 70 pricing is quite scattered, to say the least, with the big four accounting firms traditionally charging the highest fees, followed by other nationally recognized non-big four firms, then all the way down to the small, regional, one or two man firms. While you may not need a big four stamp of approval (and their hefty price tag, i might add), it’s important you pick a firm that has expertise in your field, has a competitive fee, and specializes in SAS 70 audits. Also, ask for a fixed fee, that is, everything, including travel and out of pocket expenses, is included in the quote for the audit. So, what can you expect to pay? As i said earlier, pricing is really scattered and all across the board, but once you determine timing of the audit and the scope, which is really important, you should be able to get three good quotes which are reasonably close. Buyer beware, you get what you pay for, so a low fee may not adequately cover the requirements for the SAS 70 audit. Thus, the final SAS 70 report could actually harm you more than it helps you as organizations start reading the report and notice it’s bad quality.

Scope
This also greatly determines pricing, as auditors need to know how many physical locations they will be testing, how many different business processes or business lines are being covered in the SAS 70 audit, or is it just a general controls report. These are all important considerations which need to be discussed upfront with all CPA firms before you get a bid. Thus, make sure to address the following questions when obtaining a quote from a CPA firm:

1. Does the fee include testing at all my physical locations
2. What business processes are being included in the fee or is this just a general controls audit.
3. Is the fee a fixed fee, where all travel and out of pocket expenses are included in the fee?
4. What is the CPA firm’s level of expertise in regards to your specific industry

These are just a sample of high level questions that should be asked for initiating a strong, health discussion on scope and ultimately, pricing for the SAS 70 Type I or Type II audit.

If you want to learn more about SAS 70 audits, then SAS 70 sample reports are available from the SAS 70 resource guide.

Regulatory Compliance and SAS 70 Audits | It’s Here to Stay

The compliance pendulum is in full swing, pointing heavily towards some very common legislation, audits, and other governance mandates. From the Sarbanes Oxley Act to HIPAA, Gramm Leach Bliley (GLBA) and numerous other federal and state legislative laws and rulings, companies are spending enormous time, money and effort for regulatory compliance.

And with all laws and edicts that come out our nation’s capital and from various state legislators, there’s the good, the bad, and the ugly. Let’s take a quick peak at these rulings, their impact, and what the future holds for the compliance crystal ball. My opinions are based on over a decade of audit experience, primarily with information systems, so I hope to provide you with information that is factual, unbiased and practical. Let’s begin with the probably the most notable, the Sarbanes Oxley Act of 2002.

After the corporate scandals, Sarbanes Oxley (SOX) was quickly put into effect, and the ramifications have been staggering indeed. Not only have companies spent a tremendous amount of money in being compliant, but many other regulatory compliance edicts have grown as a result of SOX. One of the most notable, SAS 70 audits. Be it a SAS 70 Type I or a SAS 70 Type II audit, service organizations are under the microscope, being required to be SAS 70 compliant. This stems primarily out of section 404 of the SOX act and it’s relation to management having to certify on internal controls, many of which have been outsourced to third parties. If your organization is currently facing SAS 70 Type I or Type II compliance, then it would be a good idea to learn more about what SAS 70 really is.

As for HIPAA and GLBA, these legislative provisions have also resulted in mandatory provisions surrounding security of confidential data, such as medical records and customer information. As with SOX, SAS 70 audits have quickly become the default de facto audit for ensuring organizations are adhering to HIPAA and GLBA requirements.

These are currently three of the biggest legislative laws requiring organization to undergo a slew of compliance audits, with many pointing towards the SAS 70 auditing standard.

The payment card industry (PCI) is also having big ramifications on regulatory compliance, as many organizations need to undergo a PCS QSA assessment. The PCI standards are geared towards organizations that process and hold sensitive credit card information.

What’s important to note is that with SOX, HIPAA, GLBA, and other legislative laws, this is really just the beginning of the compliance game. Many new laws and mandates will no doubt be coming down from the halls of congress and various state legislative sessions.

Stay informed on these rulings as they will no doubt have serious financial and operational ramifications on your organization.