Many Third Party Administrators (TPA) are going through the rigorous SAS 70 process in today’s heightened regulatory compliance arena. From Sarbanes-Oxley to HIPAA, corporate governance and the calls for greater controls and inquiries into a TPA’s daily operations are louder than ever.  Many small and medium size TPA organizations, of which there are many, comment on the overall frustrations of a SAS 70 audit, stating that they are expensive, time consuming, and typically are done by an auditing firm with little or no experience in regards to their actual business model.  As a SAS 70 auditor for many years and working for a firm that specializes in SAS 70 audits on TPA organizations, this is uncomfortable news to say the least The audit should not be considered an expensive, painful process. Rather, it should be looked upon as a helpful tool for helping build a strong system of internal controls, while also serving as a great marketing tool for your TPA. Last and surely not least, the SAS 70 should effectively display to your plan sponsors, current clients, and other interested parties that your TPA has a strong control environment, complete with a adequate safeguards for all activities that are carried out on a daily basis.

Now, as for finding a firm with expertise, that sometimes can be a challenge, so i recommend you ask a series of questions for helping ensure you pick the right firm for the SAS 70 Type I or Type II audit. The following questions, if answered correctly, should calm any fears about whether you have found the right firm or not:

1. How many Third Party Administrator (TPA) entities have you issued a SAS 70 for?

2. Specifically, what is your  working knowledge on the different types of TPA’s, such as property & Casualty TPA’s, self funded medical TPA’s, along with a TPA’s computer and software systems, etc?

3. Do you have a set of SAS 70 readiness questionnaires specifically tailored towards a TPA for helping my organization prepare for the SAS 70 audit?

4. Can you provide me with a SAS 70 sample report of a TPA?

If they can answer yes to these questions, you’ve found the right firm. If not, move on and keep looking for a SAS 70 provider that truly knows your industry.

SAS 70 audits have been around since 1992, but recent legislation has pushed the SAS 70 auditing standard into the spotlight. Namely, the Sarbanes Oxley Act of 2002 (SOX). When congress passed the SOX act, management of publicly traded companies were required to report on their company’s financials, and report on their internal controls in regards to financial reporting. Therefore, the SAS 70 quickly became the audit of choice for both user and service organizations, or rather, the de facto auditing standard.

As a user organization, the benefits of a SAS 70 are quite abundant. First off, when the user organization requests a SAS 70 report from their service organization, they get an official document outlining the service organizations internal controls. Additionally, they see that the controls were placed in operation, with possible tests of operating effectiveness (if a Type II Report) being performed. Most importantly, the user organization can supply their external auditors with the service organization’s SAS 70. In essence, this facilitates the user organization in auditing its financial statements. If no SAS 70 were present, the user organization would have to spend enormous time and effort in auditing the service organization for ensuring its compliance.

Service organizations receive significant benefits from this audit as well. To start with, it is a great way for a service organization to build trust with user organizations. Moreover, a SAS 70 report can entertain multiple customers’ audit requests. With no SAS 70 present, the service organization would likely spend too much time auditing “themselves” to entertain their customers requests, and less time conducting their business. Finally, a SAS 70 audit is the perfect opportunity to identify any weaknesses in your internal controls.

If you take a step back and look at these benefits to both user and service organization, it is clear to see that the SAS 70 is a powerful compliance tool currently being used and widely accepted by many industries. Combined with the fact that regulatory compliance legislation will only increase as time passes, one can clearly see the opportunities, but also the challenges that can lay ahead for a service organization.

Want to learn more about SAS 70 audits? Then receive SAS 70 sample reports from the official SAS 70 resource guide.

If you need to learn more about SAS70 reports, then SAS70 sample reports can be obtained from the official SAS70 Resource Guide at www.sas70.us.com. The resource guide provides a wealth of information on the auditing standard, ultimately helping to educate all interested parties on the many complex facets of SAS70 audits.

Many service organizations that have to go through a SAS70 audit express frustration in not really knowing what a final report looks and “feels” like, that is, what are its contents and material. To help ease this frustration, the SAS70 Resource Guide is now offering SAS70 sample reports. These reports will give service organizations a very in-depth and detailed understanding of SAS70 audits. Currently, the Resource Center is offering a sample SAS70 Type II audit report, which explains all the major sections of the report.

Additional information can be found on SAS70 audits, such as the following:

White Papers on SAS70 audits

Glossary of Terms for the auditing standard

Industry specific news on SAS70 audits for the financial services, health services, and many more industries.

All content on the official SAS70 Resource Guide is constantly updated, assuring you that you receive the freshest, most relevant content on SAS70 audits.  Items to be added soon will include training videos and additional SAS70 sample reports.