The SAS70 audit guide is a series of reports that will help educate individuals on this widely used auditing standard that was developed in 1992. Section 1.0 gives readers a brief history of SAS 70 audits.
What’s important to note about the auditing standard is that it’s main purposes is to examine an organization’s internal controls or control environment. The auditing standard gained much traction within the last five years due to the passage of the Sarbanes Oxley Act, simply known as SOX to many. At the time of the passing, no one probably knew the implications that section 404 of the SOX act would have on SAS 70 audits. Needless to say, it has been extremely significant. Other regulatory legislation, such as HIPAA and GLBA, have also contributed to the rise of the auditing standard.
To learn more about SAS 70 audits, visit the official resource guide, where current white papers on the auditing standard can be read, along with sas 70 pricing and the ability to obtain SAS 70 sample reports for educational purposes.
SAS70 audits can be looked upon as an examination of an entity’s control environment. In more technical terms, a SAS70 Type I audit is used to report on controls placed in operation. Thus, a SAS 70 Type II audit is used to report on controls placed in operation and the testing of operating effectiveness.
Quickly, you can see the difference between a Type I and a Type II audit. a Type II audit’s testing of operating effectiveness essentially means that a testing period is undertaken when examining a service organization’s control environment. It’s the main difference between a SAS70 Type I and Type II.
Keep in mind that Type II audits are commonly used for complying with section 404 of the Sarbanes Oxley act. Management (executives of user organizations, that is) must have assurances of their internal control environment, thus, many times a SAS70 Type II audit is required from service organizations who provide outsourcing functions for these very user organizations.
From health care to financial services and I.T., SAS 70 Type I and Type II audits are having a significant impact in today’s ever growing regulatory compliance arena. Many service organizations initially struggle with SAS 70 compliance, due in part to a large number of issues. These issue traditionally revolve around audit scope, SAS 70 pricing, time commitments, along with other important issues.
What’s important to understand is that if your organization has become a SAS 70 candidate, its wise to educate yourself on this auditing standard which was put forth by the American Institute of Certified Public Accountants (AICPA) in 1992.
A quality SAS 70 CPA firm, and there are many of them out there, will be able to effectively guide you through the major issues of SAS 70 audits (pricing, scope, time commitments, etc.) along with giving you a SAS 70 roadmap for compliance for ensuring the audit is completed in a cost-effective, efficient manner.
If your organization needs to embark on SAS 70 Type I or Type II compliance, here’s what you need to know about getting a fair, equitable fee from a CPA firm that proposes on the audit.
- Discuss what the scope of the audit will be, that is, is it a general controls audit or does the SAS 70 Type I or Type II audit proposal include provisions for examining specific business processes. This is vitally important because the organization requiring you to be SAS 70 compliant may very well have special provisions for the audit. Talk to your clients and communicate this with CPA firms giving you a proposal.
- Determine the testing time period of the audit, if a SAS 70 Type II is being conducted. Generally speaking, the longer the test period, the more testing will be done, thus the audit will be more costly. See if a six (6) month testing period will suffice for your client’s demands.
- Once you have determined scope, make sure to discuss where and when testing will take place. The more physical locations the auditors have to visit, then the more costly the audit will be. You may be able to test for the audit at one central location, so be sure to come to an agreement on this early.
- Make sure the proposal is a fixed fee. In today’s economy with rising gas, food, and transportation costs, any non-audit, out of pocket fees can become quite costly. A fixed fee will help mitigate some of these unknown, variable costs.
From a regulatory compliance and corporate governance perspective, SAS 70 Type I and SAS 70 Type II audits are having a deep impact on many organizations. They can be costly, time consuming, if not undertaken in a proactive, efficient manner. If you are a service organization falling under the regulatory compliance microscope, then SAS 70 audits are probably on your radar screen. What’s important to not is that with any audit process, you should have in place a structured, proven methodology for completing the SAS 70 audit. But where do you start? With SAS 70 readiness questionnaire forms and templates, that’s where, that help guide you and your organization in fulfilling the demanding requirements set forth by this type of audit.
SAS 70 readiness questionnaire forms and templates help organizations understand the scope of the audit, what information will be needed for the SAS 70 audit, along with assisting the service organization in identifying any weaknesses or deficiencies in their internal controls.
Moreover, if your organization needs specific sas 70 readiness questionnaire templates for a particular business process because of audit demands, this helps your prepare even more for the audit. For example, if you are a data center and conduct managed services for clients, then a sas 70 readiness questionnaire specific to managed services can be utilized. How about if you are a third party administrator (TPA), you can use a sas 70 readiness questionnaire that discusses plan administration, billing & eligibility and other notable TPA requirements. In essence, the more you can uncover with a sas 70 readiness questionnaire, the more prepared you will be for the SAS 70 Type I or Type II audit.
- Organization and Administration for Executive Tone
- Human Resources
- Systems Development Life Cycle
- Incident Management
- Change Management
- Emergency Change Management
- Logical Security
- Network Security
- Physical Security
- Environmental Security
- Computer Operations
- Business Continuity and Disaster Recovery Planning (BCDRP)-This is optional as the SAS 70 auditing standard states that plans are not control objectives. However, in today’s I.T. and compliance world, it would be wise to include it in the scope of the audit.
SAS 70 Type I and Type II audits have become increasingly important in today’s regulatory compliance arena. Born in 1992, the SAS 70 auditing standard is used to examine a service organization’s internal control environment. In simpler terms, if your organization provides critical outsourcing activities for another company, you may be very well called upon to become SAS 70 Type I or Type II compliant.
SAS 70 Type I audits are for a stated date, while SAS 70 Type II audits are for a time period, traditionally anywhere from six months to a year. Look at the Type I as a snapshot, with the Type II as covering a time period.
There’s been much discussion on pricing and scope for SAS 70 audits, so here’s what you need to know to keep you ahead of the curve for this very important regulatory compliance audit.
SAS 70 pricing is quite scattered, to say the least, with the big four accounting firms traditionally charging the highest fees, followed by other nationally recognized non-big four firms, then all the way down to the small, regional, one or two man firms. While you may not need a big four stamp of approval (and their hefty price tag, i might add), it’s important you pick a firm that has expertise in your field, has a competitive fee, and specializes in SAS 70 audits. Also, ask for a fixed fee, that is, everything, including travel and out of pocket expenses, is included in the quote for the audit. So, what can you expect to pay? As i said earlier, pricing is really scattered and all across the board, but once you determine timing of the audit and the scope, which is really important, you should be able to get three good quotes which are reasonably close. Buyer beware, you get what you pay for, so a low fee may not adequately cover the requirements for the SAS 70 audit. Thus, the final SAS 70 report could actually harm you more than it helps you as organizations start reading the report and notice it’s bad quality.
This also greatly determines pricing, as auditors need to know how many physical locations they will be testing, how many different business processes or business lines are being covered in the SAS 70 audit, or is it just a general controls report. These are all important considerations which need to be discussed upfront with all CPA firms before you get a bid. Thus, make sure to address the following questions when obtaining a quote from a CPA firm:
1. Does the fee include testing at all my physical locations
2. What business processes are being included in the fee or is this just a general controls audit.
3. Is the fee a fixed fee, where all travel and out of pocket expenses are included in the fee?
4. What is the CPA firm’s level of expertise in regards to your specific industry
These are just a sample of high level questions that should be asked for initiating a strong, health discussion on scope and ultimately, pricing for the SAS 70 Type I or Type II audit.
The compliance pendulum is in full swing, pointing heavily towards some very common legislation, audits, and other governance mandates. From the Sarbanes Oxley Act to HIPAA, Gramm Leach Bliley (GLBA) and numerous other federal and state legislative laws and rulings, companies are spending enormous time, money and effort for regulatory compliance.
And with all laws and edicts that come out our nation’s capital and from various state legislators, there’s the good, the bad, and the ugly. Let’s take a quick peak at these rulings, their impact, and what the future holds for the compliance crystal ball. My opinions are based on over a decade of audit experience, primarily with information systems, so I hope to provide you with information that is factual, unbiased and practical. Let’s begin with the probably the most notable, the Sarbanes Oxley Act of 2002.
After the corporate scandals, Sarbanes Oxley (SOX) was quickly put into effect, and the ramifications have been staggering indeed. Not only have companies spent a tremendous amount of money in being compliant, but many other regulatory compliance edicts have grown as a result of SOX. One of the most notable, SAS 70 audits. Be it a SAS 70 Type I or a SAS 70 Type II audit, service organizations are under the microscope, being required to be SAS 70 compliant. This stems primarily out of section 404 of the SOX act and it’s relation to management having to certify on internal controls, many of which have been outsourced to third parties. If your organization is currently facing SAS 70 Type I or Type II compliance, then it would be a good idea to learn more about what SAS 70 really is.
As for HIPAA and GLBA, these legislative provisions have also resulted in mandatory provisions surrounding security of confidential data, such as medical records and customer information. As with SOX, SAS 70 audits have quickly become the default de facto audit for ensuring organizations are adhering to HIPAA and GLBA requirements.
These are currently three of the biggest legislative laws requiring organization to undergo a slew of compliance audits, with many pointing towards the SAS 70 auditing standard.
The payment card industry (PCI) is also having big ramifications on regulatory compliance, as many organizations need to undergo a PCS QSA assessment. The PCI standards are geared towards organizations that process and hold sensitive credit card information.
What’s important to note is that with SOX, HIPAA, GLBA, and other legislative laws, this is really just the beginning of the compliance game. Many new laws and mandates will no doubt be coming down from the halls of congress and various state legislative sessions.
Stay informed on these rulings as they will no doubt have serious financial and operational ramifications on your organization.