First and foremost, the requirements for SAS 70 Type II audit and PCI DSS assessment compliance will continue to grow larger; larger in scope regarding the actual requirements and larger in the number of companies having to comply. Data breaches are occurring at a feverish pace, causing great unrest for all participants involved. And add to the notion of the continued importance of corporate governance, regulatory compliance and security, and it becomes quite evident that SAS 70 and PCI will play a critical role for many years.

Additionally, more and more states will start to adopt various provisions of the PCI DSS requirements, turning them into an actual codification of laws for their respective states. Minnesota became that first state with the MN Plastic Card Security Act, followed by Nevada and a host of other states who are seriously looking to an adoption of PCI into law.

As for GLBA and HIPAA, they will more than likely continue to “limp” along as they simply lack the regulatory “teeth” that SAS 70 and PCI have. This may change if the SEC and The Department of Health and Human Services give HIPAA and GLBA more explicit requirements on compliance, but this is highly doubtful.

If you want to learn more about compliance, visit the SAS 70 Resource Guide and the PCI DSS Resource Guide.

And why? Because many service organizations, merchants, and service providers are being asked to become compliant with either a SAS 70 audit, a PCI DSS Assessment or both, for purposes of today’s regulatory compliance initiatives. Take note, Nevada just passed provisions of PCI into law, joining Minnesota as another state that is taking security and privacy to a new level.

I’ve put together a comprehensive white paper on SAS 70 Type II audits and PCI DSS Level 1 assessments that is definitely good reading material if your organization has to become compliant with either of these.

Visit the official SAS 70 Resource Guide to learn more about Type I and Type II audits
Visit the official PCI DSS Resource Guide to learn more about PCI DSS Assessments.

Service organizations of all shapes and size today (data center, co-locations, software as a service, third party administrators, medical claims processors, etc.) are all being called upon to become SAS 70 Type II compliant. The regulatory drumbeat is beating louder every year and SAS 70 audits are here to stay.

A sample SAS 70 Type II audit report will give service organizations a fresh and unique perspective on exactly what the finished product of a SAS 70 Type II audit looks like. Look at it as a way to truly understand the end product and what the CPA firm conducting the audit will be furnishing you with.

Please keep in mind because of the looseness and the flexibility of the SAS 70 auditing standard, not every report will be identical in. However, there are, without question, common themes and subject matter that every quality report will include. The report can be downloaded via pdf

Now, with that said, let me touch on a subject that has been brought up so many times it feels like a broken record: SAS 70 PRICING. So, what do they cost? What SHOULD they cost? These are some of the questions i fielded over the years. With that said, i can tell you what my honest best assessment is for pricing on these engagements, so here you go.

A general controls SAS 70 Type I that covers no real business processes and all fieldwork can be done at one location should be between $15,000 and $25,000.

A general controls SAS 70 Type II that covers no real business processes and all fieldwork can be done at one location should be between $25,000 and $35,000. Thus, subsequent years “could” see a decrease in fees (marginal, that is) if the control environment stays somewhat static.

If you start adding in requirements to test a wide array of specific “business process” controls, the price will go up. Keep in mind, some firms may charge (and do) a slightly cheaper fee than i’ve just quoted. But remember, you get what you pay for, especially for auditors. Find that healthy medium from a quality, boutique CPA firm that specializes in SAS 70 audits and you should be fine.

First and foremost, as an auditor, there should still be independence within the SAS 70 audit and the PCI DSS assessment. Independence how? Simple, do not treat them as one audit, because they are simply not that. Technically speaking, a PCI assessment is just that, an assessment, not an audit, which requires “attestation”. Moreover, there are significant differences between the audit and the assessment, which can be discussed at length (and will be) in a whole different blog.

I stress in the title of this blog that “maybe” there can be audit efficiencies, however, it many times is dependent on the quality of the auditors, their expertise in both conducting a PCI and a SAS 70 audit, and how much they are willing to rely on evidence from the PCI DSS assessment for the SAS 70 audit, and vice versa. Good auditors will find ways to create these efficiencies; other auditors might want to conduct a PCI DSS assessment and rubber stamp a SAS 70-this is a BIG NO NO.

Want to learn more about where these efficiencies of scale can be maximized? To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide and to learn more about PCI DSS Assessments, visit the PCI Resource Guide.

Helpful suggestions on learning about SAS 70 audits include the following:

Know the difference between a Type I and Type II audit
Learn about pricing for SAS 70 audits
Understand and comprehend the meaning of audit “scope”
Learn about a SAS 70 Readiness Assessment and how it can help augment the overall audit process for Type I and Type II reports.

Keep in mind that all organizations are different, as such, your SAS 70 requirements and what you essentially need to “get out” of your report could be significantly different from another company. For example, are you just looking to “check the box” for a compliance report or are you actually seeking value out of your SAS 70 audit.

Visit the official SAS 70 Resource Guide to learn more about SAS 70 Type I and Type II audits.

So, why is this such a repetitive and persistent problem for companies? For the most part, it has to do with the lack of expertise in writing these documented policies and procedures along with finding the time to do them. They can be painstakingly slow and arduous to complete. The solution; hire a firm that have experience and expertise in developing and writing policies and procedures for PCI DSS and for any other regulatory compliance mandate your company may encounter, such as SAS 70 audits.

1. Executive Management/Strategic Management Drivers
2. Human Resources
3. Quality Assurance Activities
3. Client Contract Processes
4. Technical Client Provisioning Processes and Activities
5. Change Management
6. Incident Management
7. Logical Security
8. Network Security
9. Shipping and Receiving Management
10. Physical Security
11. Environmental Security

Any SAS 70 conducted on data centers, managed services providers and co-locations entities that encompass the following above referenced areas can be considered a quality audit and report, at least in terms of scope. It’s then up to the CPA firm conducting the audit to actually perform testing for these above referenced areas, but that’s a whole other topic of discussion for a later date.

To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide.
To learn more about PCI DSS assessments, visit the Payment Card Industry (PCI) Resource Guide.

It’s one of the elements that was missing in the compliance industry, so we thought it was necessary and helpful to put forth an excellent example of a SAS 70 Type II service auditor’s report. And remember, because of the looseness within the auditing standard, no two reports are going to look exactly alike. Sure, there are slightly different variations of SAS 70 reports, but they should encompass and include most of the elements contained within our sample sas 70 available to all who wish to read on and learn more about statement on auditing standards no. 70.

Please take time to educate yourself on this highly used auditing standard by visiting a number of other areas on the website, such as the white papers section, industry news section, along with the what is sas 70 section.

Issue #1: Choosing a Firm for the SAS 70 Audit

There are a number of providers available for SAS 70 audits, ranging from regional CPA firms to the nationally recognized big four firms. And as with anything in life, most organizations try to find the most value for their money, but remember, you get what you pay for. Small firms may be cost-effective, but they may lack the expertise and name recognition of other firms. The big four accounting firms will charge you a heavy premium audit fee, yet you get their name on the report, ultimately giving it a high level of recognition, simply based on who they are.

Remember, SAS 70 Type I and Type II audit prices have a wide range, so it’s probably a wise choice to pick in between, that is, a firm who is specialized, nationally known, not too large and bureaucratic, and provides you with a cost-effective, “fixed fee” that is fair, equitable, and you can live with.

Issue #2: Scoping the SAS 70 Audit

Numerous factors ultimately come into play for pricing considerations, but scoping is extremely important. It tells you and the CPA firm what will be tested, where it will be tested, and how long the test period will be, if a SAS 70 Type II audit is being performed.

To learn more about SAS 70 audits, visit the official sas 70 resource guide.