Posted by: Charles Denyer
Auditing, audits, Compliance, GLBA, HIPAA, regulatory compliance, SAS 70, Security, SOX, What is SAS 70?
SAS 70 Type I and Type II audits have become increasingly important in today’s regulatory compliance arena. Born in 1992, the SAS 70 auditing standard is used to examine a service organization’s internal control environment. In simpler terms, if your organization provides critical outsourcing activities for another company, you may be very well called upon to become SAS 70 Type I or Type II compliant.
SAS 70 Type I audits are for a stated date, while SAS 70 Type II audits are for a time period, traditionally anywhere from six months to a year. Look at the Type I as a snapshot, with the Type II as covering a time period.
There’s been much discussion on pricing and scope for SAS 70 audits, so here’s what you need to know to keep you ahead of the curve for this very important regulatory compliance audit.
SAS 70 pricing is quite scattered, to say the least, with the big four accounting firms traditionally charging the highest fees, followed by other nationally recognized non-big four firms, then all the way down to the small, regional, one or two man firms. While you may not need a big four stamp of approval (and their hefty price tag, i might add), it’s important you pick a firm that has expertise in your field, has a competitive fee, and specializes in SAS 70 audits. Also, ask for a fixed fee, that is, everything, including travel and out of pocket expenses, is included in the quote for the audit. So, what can you expect to pay? As i said earlier, pricing is really scattered and all across the board, but once you determine timing of the audit and the scope, which is really important, you should be able to get three good quotes which are reasonably close. Buyer beware, you get what you pay for, so a low fee may not adequately cover the requirements for the SAS 70 audit. Thus, the final SAS 70 report could actually harm you more than it helps you as organizations start reading the report and notice it’s bad quality.
This also greatly determines pricing, as auditors need to know how many physical locations they will be testing, how many different business processes or business lines are being covered in the SAS 70 audit, or is it just a general controls report. These are all important considerations which need to be discussed upfront with all CPA firms before you get a bid. Thus, make sure to address the following questions when obtaining a quote from a CPA firm:
1. Does the fee include testing at all my physical locations
2. What business processes are being included in the fee or is this just a general controls audit.
3. Is the fee a fixed fee, where all travel and out of pocket expenses are included in the fee?
4. What is the CPA firm’s level of expertise in regards to your specific industry
These are just a sample of high level questions that should be asked for initiating a strong, health discussion on scope and ultimately, pricing for the SAS 70 Type I or Type II audit.