People often ask me what the price of a SAS 70 Type I or SAS 70 Type II audit is. My response? That depends, I say, on many, many factors. Here is what needs to be understood when considering pricing factors for SAS 70 Type I and Type II audits:
1. The CPA firm-Are you looking for brand recognition or are you looking for a cost-effective provider which can simply help you “check the box” for SAS 70 compliance.
2. Scope-What is being examined and tested from a control perspective for SAS 70 audits? Are you looking for just a general controls audit or an audit that also includes specific business processes?
3. Testing period: For SAS 70 Type II audits, what is the testing period going to be? The longer the test period, the more the audit will cost as auditors have to pull larger samples, do more testing, etc.
4. Location of testing: How many physical areas does your organization have that will fall under the scope of the SAS 70 audit? Having more than one means that auditors will ultimately have to travel to numerous locations to conduct more testing. Again, more locations, more time, money, and expenses out of your pocket for the audit itself.
5. Are you confident you can obtain SAS 70 compliance without conducting a SAS 70 readiness assessment? If not and you need assistance identifying weaknesses and gaps within your control environment, then expect to spend more time, money, and resources on the front end of a SAS 70 audit for preparing in an adequate manner.
As you can see, there is no quick, easy, black and white answer to the cost of a SAS 70 Type I or Type II audit.
To learn more about statement of auditing standards no. 70, visit the official sas 70 resource guide, where you can obtain a wealth of information on sas 70 audits.