sas 70 type ii

SAS 70 Type II Audits | An Auditor’s Expert Opinion on Pricing

People often ask me what the price of a SAS 70 Type I or SAS 70 Type II audit is. My response? That depends, I say, on many, many factors. Here is what needs to be understood when considering pricing factors for SAS 70 Type I and Type II audits:

1. The CPA firm-Are you looking for brand recognition or are you looking for a cost-effective provider which can simply help you “check the box” for SAS 70 compliance.

2. Scope-What is being examined and tested from a control perspective for SAS 70 audits? Are you looking for just a general controls audit or an audit that also includes specific business processes?

3. Testing period: For SAS 70 Type II audits, what is the testing period going to be? The longer the test period, the more the audit will cost as auditors have to pull larger samples, do more testing, etc.

4. Location of testing: How many physical areas does your organization have that will fall under the scope of the SAS 70 audit? Having more than one means that auditors will ultimately have to travel to numerous locations to conduct more testing. Again, more locations, more time, money, and expenses out of your pocket for the audit itself.

5. Are you confident you can obtain SAS 70 compliance without conducting a SAS 70 readiness assessment? If not and you need assistance identifying weaknesses and gaps within your control environment, then expect to spend more time, money, and resources on the front end of a SAS 70 audit for preparing in an adequate manner.

As you can see, there is no quick, easy, black and white answer to the cost of a SAS 70 Type I or Type II audit.

To learn more about statement of auditing standards no. 70, visit the official sas 70 resource guide, where you can obtain a wealth of information on sas 70 audits.

SAS 70 Audit Reports | Start with a SAS 70 Readiness Assessment

Successful completion of SAS 70 Type I or SAS 70 Type II audit reports should start with undertaking a SAS 70 Readiness Assessment. A readiness assessment is an important part of the audit process in that it helps identify weaknesses, gaps, and deficiencies within your organization’s control environment. Many organizations unfortunately rush into a SAS 70 Type I or Type II audit, and as a result, suffer the consequences of ill-planning and mismanagement. The result? More time, fees, and man hours are put into the audit, which in all actuality, really shouldn’t of been if they had started off with a readiness assessment.

Furthermore, some firms even offer free SAS 70 Readiness Assessment questionnaires for helping your organization prepare and undertake the audit itself. What’s more, quality CPA firms can develop templates that are highly customized to your specific industry, thus adding even more value to the SAS 70 Readiness Assessment phase. As the old saying goes, you crawl before you walk, it’s wise to conduct a SAS 70 Readiness Assessment before embarking on the actual audit process.

To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide, where you can obtain a wealth of information on SAS 70 audits.

SAS 70 Type II Audit Reports | Why SAS 70 is Here to Stay

We live in a world of heightened regulatory compliance and corporate governance. From the passage of the 2002 Sarbanes-Oxley Act to numerous other pieces of legislation (HIPAA, GLBA, just to name a few), “comply, comply, comply” is the new mantra being pushed throughout organizations and at all levels. SAS 70 audits, originally introduced as the 70th auditing standard in April of 1992, has stood the test of time as the main “go to” compliance audit for many of these regulatory requirements that have ushered from the halls of Congress.

Okay, so, why is it here to stay? Well, for a number of reasons. First and foremost, it will always be used as an audit tool for evaluating service organization’s that could have a material impact to a company’s “information system”-This term, “information system” is used to describe the user organization’s “information system”, that is, what services are being performed by the service organization that are considered a part of the user organization’s “information system”. Transactions, procedures (be it manual or automated), supporting information, the capturing of events and conditions-are all considered traits and activities that relate to, have an effect, and impact the user organization’s “information system”.

Second, the SAS 70 auditing standard has been quite flexible, adapting to the needs of service organizations that must have their control environment examined. Witness the numerous times the SAS 70 auditing standard has been amended over the last 16 years to keep “pace” with the changes of business.

Third, the SAS 70 auditing standard has become very quickly recognized as the global de facto audit for internal controls on service organizations. In short, it has built up quite a following that is simply very hard to ignore.

To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide.

SAS 70 Audit Costs and Pricing | What You Need to Know

If your organization is planning on undertaking a SAS 70 audit, be it a Type I or a Type II, then there are some important points you need to learn about SAS 70 audit pricing.

First and foremost, make sure to get a “fixed fee” for the SAS 70 engagement a fixed fee includes all out of pocket, travel, and other miscellaneous expenses that are incurred by the auditor for purposes of conducting the audit. More and more firms are moving to the fixed fee model, so take advantage of this type of pricing.

Second, scope greatly determines the price of the SAS 70 audit, so be sure to properly scope the audit. That means answering the who, what, when, where and why for the audit. Who needs the report and are there any specific requirements they are looking what. What is the audit test period. When will testing be done. Where will testing be done, such as what facilities will be part of the SAS 70 audit scope. These are all important points to cover when assessing scope for a SAS 70 Type I or SAS 70 Type II audit.

To learn more about SAS 70 audits, what is a SAS 70 and to obtain a wealth of information on the auditing standard itself, then visit the official SAS 70 Resource Guide.

SAS 70 Audits | Make Sure to Get a “Fixed Fee” for the Audit

SAS 70 audits today are being conducted by CPA firms large and small, big and tall. Though they vary greatly in size, complexity and audit skills, what seems to be the industry standard is a “fixed fee” for the audit. Fixed in meaning that all the fees for the engagement are wrapped and bundled into one price. This “fixed fee” also includes any out of pocket travel and miscellaneous expenses that the CPA firm would incur for doing the audit.

Buyer beware, as not all “fixed fees” are the same. Some “fixed fee” have clauses that say the “fixed fee” is only for the engagement itself and does not include travel or any other expenses you may incur. Additionally, some fixed fees may include the travel and out of pocket expenses may also bill you for preparing reports, after audit consulting fees, etc.

In short, read the fine print and make sure the “fixed fee” really is fixed. Another point, make sure the fixed fee gradually goes down after year one. Why? Because the CPA firm conducting the audit should have a good working knowledge of your company, thus fees should be marginally reduced for subsequent years (5 to 10 percent). However, if your scope changes, then expect the fees to go up.

To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide.

SAS 70 Audit Reports | What You Need to Know About Them

SAS 70 Type I and SAS 70 Type II audits are fast becoming a mainstay in today’s regulatory compliance environment. If your organization is seeking to become SAS 70 Type I or SAS 70 Type II compliant in the near future, then here are some helpful tips in adequately preparing for all aspects of the audit.

1. Requirements-Do you need a SAS 70 Type I or SAS 70 Type II audit?
2. What is the scope of the audit? What business lines, services, and operations have to be covered in the SAS 70 audit. Are their specific demands that need to be within the audit that somebody is asking for?
3. Pricing-Always obtain three (3) quotes and get a “fixed fee” for the audit, that is, the entire audit, including travel and all out of pocket expenses, are included within the fixed fee.
4. Testing period-If moving forward with a SAS 70 Type II audit, what is the test period going to be (note: test periods are traditionally 6 or 10 months long-you will have to identify this with the CPA firm that will be conducting the SAS 70 audit)
5. SAS 70 Readiness-Make sure you conduct a Readiness Assessment before moving forward with the audit. It will prove invaluable in understanding your control environment.

To learn more about SAS 70 audits, visit the official SAS 70 Resource guide, where you can obtain a wealth of information on SAS 70 audits, including a sample SAS 70 report.

SAS 70 Type II Audit Reports | A SAS 70 Auditor’s Expert Opinion

SAS 70 Type I and SAS 70 Type II audits are being required more and more by service organizations in today’s growing regulatory compliance and heightened corporate governance environment.

Thus, if you are a service organization or third party providers of critical services to another entity, you may be very well called upon to become SAS 70 Type I or SAS 70 Type II compliant.

If you want to learn about the who, what, when, where and why of Statement on Auditing Standards No. 70, commonly known as SAS 70, then visit the official SAS 70 Resource Guide, where a wealth of information on the SAS 70 auditing standard awaits you. You can download white papers on SAS 70, read about the history of the auditing standard, learn certain SAS 70 specific terms and phrases that auditors use along with even obtaining a sample SAS 70 audit report.

Many service organizations having to go through a SAS 70 audit have voiced frustration in not being able to find a true resource portal that breaks down, distills, and explains the SAS 70 auditing standard in an easy to read and explainable format.

So, visit the SAS 70 Resource portal for all your needs on SAS 70 audits.

SAS 70 and PCI DSS | An Auditor’s Expert Opinion

Many organizations are having to complete both a SAS 70 Type I or SAS 70 Type II audit along with being Payment Card Industry (PCI) compliant. With that being said, I am often asked if you can create efficiencies of scale if a firm does both the SAS 70 audit and the PCI assessment. That answer is yes, but please keep in mind it is not a perfect one to one match. The SAS 70 audit, remember now, is NOT a technology audit, where as the PCI assessment requires a much more an in-depth examination of information security. That’s not to say that a SAS 70 audit does not have technology involved in the audit process, they do, and in many cases, quite a bit of technology. But with that said, please keep in mind that the original auditing standard’s intent was not for it to be a technology driven audit.

However, with all this being said, a quality CPA firm that has the experience and licensing requirements to do both a SAS 70 audit and a PCI assessment can create a high effective gap analysis that will show where overlaps occur and where documentation will still be needed for either the SAS 70 audit or the PCI assessment, depending on which one is conducted first.

For more information on NDB, LLP’s SAS 70 services, visit the official SAS 70 Resource Guide.

For more information on PCI assessments, visit NDB’s PCI website, which discussees PCI in detail and the services NDB offers.

SAS70 Audit Reports | Understanding SAS70 Type I & Type II Audits

Does your organization need to be SAS70 compliant? If so, many people often ask me if they have to complete a SAS70 Type I audit before doing a SAS70 Type II audit. And the answer? Well, it all depends on a number of factors, such as: 1. Has your organization ever gone through a SAS70 audit before, if so when? 2. Are you required to be SAS70 Type II compliant or will a SAS70 Type I suffice for your client’s for this year? 3. What is your deadline for completing a SAS70 audit and when must it be presented to your clients or their auditors?

As you can see, there’s no quick black or white answer to the question. The most important to understand is what are the requirements that are being put on you by another entity for being SAS70 compliant. In essence, you should be able to answer the who, what, when, where and why within a relatively short period of time. You can also call a CPA firm that specializes in SAS70 audits to help answer these questions for you.

If you want to learn more about SAS70 audits, then visit the official SAS70 Resource Guide, where a wealth of information awaits you on SAS70 audits.

SAS70 Audit Reports for Data Centers |Important Facts to Know

SAS70 audits have quickly become a mainstay in the world of data centers, managed services and co-location entities, and this will no doubt continue to grow. This is happening for a large number of reasons, but primarily data centers (and any variant thereof, such as managed services, co-location entities with “ping, power and pipe”) are hosting and residing an ever growing and enormous amount of information for many service providers. These service providers are commonly being asked to be SAS70 Type II compliant. As such, the data centers used by these very service organizations are commonly included within the scope of the SAS70 audit.

And what should data centers take from this? A good idea would be to become SAS70 compliant, and here’s why.

1. SAS70 compliance help mitigate and possibly eliminate many of these specialized requests your clients are asking for in helping them facilitate their own SAS70 compliance.

2. It greatly helps with business development and marketing for data centers.

3. It helps unearth any weaknesses or deficiencies you may have within your control environment.

To learn more about SAS70 audits and data centers and to receive a complimentary SAS70 Type II audit report, visit the official SAS70 Resource Guide.