Regulatory Compliance, Governance and Security

Jun 26 2008   1:40PM GMT

What is SAS 70? | Learn about Pricing & Audit Scope



SAS 70 Type I and Type II audits have become increasingly important in today’s regulatory compliance arena. Born in 1992, the SAS 70 auditing standard is used to examine a service organization’s internal control environment. In simpler terms, if your organization provides critical outsourcing activities for another company, you may be very well called upon to become SAS 70 Type I or Type II compliant.

SAS 70 Type I audits are for a stated date, while SAS 70 Type II audits are for a time period, traditionally anywhere from six months to a year. Look at the Type I as a snapshot, with the Type II as covering a time period.

There’s been much discussion on pricing and scope for SAS 70 audits, so here’s what you need to know to keep you ahead of the curve for this very important regulatory compliance audit.

SAS 70 pricing is quite scattered, to say the least, with the big four accounting firms traditionally charging the highest fees, followed by other nationally recognized non-big four firms, then all the way down to the small, regional, one or two man firms. While you may not need a big four stamp of approval (and their hefty price tag, i might add), it’s important you pick a firm that has expertise in your field, has a competitive fee, and specializes in SAS 70 audits. Also, ask for a fixed fee, that is, everything, including travel and out of pocket expenses, is included in the quote for the audit. So, what can you expect to pay? As i said earlier, pricing is really scattered and all across the board, but once you determine timing of the audit and the scope, which is really important, you should be able to get three good quotes which are reasonably close. Buyer beware, you get what you pay for, so a low fee may not adequately cover the requirements for the SAS 70 audit. Thus, the final SAS 70 report could actually harm you more than it helps you as organizations start reading the report and notice it’s bad quality.

This also greatly determines pricing, as auditors need to know how many physical locations they will be testing, how many different business processes or business lines are being covered in the SAS 70 audit, or is it just a general controls report. These are all important considerations which need to be discussed upfront with all CPA firms before you get a bid. Thus, make sure to address the following questions when obtaining a quote from a CPA firm:

1. Does the fee include testing at all my physical locations
2. What business processes are being included in the fee or is this just a general controls audit.
3. Is the fee a fixed fee, where all travel and out of pocket expenses are included in the fee?
4. What is the CPA firm’s level of expertise in regards to your specific industry

These are just a sample of high level questions that should be asked for initiating a strong, health discussion on scope and ultimately, pricing for the SAS 70 Type I or Type II audit.

If you want to learn more about SAS 70 audits, then SAS 70 sample reports are available from the SAS 70 resource guide.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: