SAS 70 audits are being performed on many service organizations in today’s growing regulatory compliance economy. From federal legislation, such as Sarbanes-Oxley to HIPAA, the SAS 70 auditing standard has been pushed to the forefront of the business arena. It’s becoming such a big requirement now that many request for proposals (RFP) are demanding that a service organization be SAS 70 compliant for even bidding on work or submitting a proposal.
So let’s erase some myths and misconceptions about the SAS 70 auditing standard. First and foremost, the audit can be done in an efficient, cost effective manner, provided you find a firm that has a good working knowledge of the SAS 70 auditing standard AND your industry. Put both of those variables together, and you should get a good fee from a quality auditor who truly knows what they are doing.
Secondly, you don’t have to do a SAS 70 Type I first if you need a SAS 70 Type II. Why waste thousands of dollars on a Type I when it’s not really what you needed? Some CPA firms will try and sell you the full package, often including a Type I by stating its needed to begin the audit process. What you need to start with instead is a SAS 70 Readiness Assessment, which will get your organization up to speed and ready for the actual SAS 70 Type II audit.
Lastly, SAS 70 audits can be a reasonable financial proposition, if you use a firm with experience that has a working, scalable model, resulting in efficiency and cost-effectiveness.