SAS 70 | An Auditor’s Expert View on Pricing
SAS 70 Type I and Type II audits have become common for many organizations providing critical outsourcing services to companies. Known as service organizations, they have all landed on the regulatory radar of having to be SAS 70 compliant, due in large part because of Sarbanes Oxley (SOX) or any other large number of federal regulatory compliance mandates.. I’m often asked how much does a SAS 70 Type I or Type II audit cost. Well, that depends on a number of factors and circumstances that will be discussed today.
Choosing a Firm for the SAS 70 Audit
There are a number of providers available for SAS 70 audits, ranging from regional CPA firms to the nationally recognized big four firms. And as with anything in life, most organizations try to find the most value for their money, but remember, you get what you pay for. Small firms may be cost-effective, but they may lack the expertise and name recognition of other firms. The big four accounting firms will charge you a heavy premium audit fee, yet you get their name on the report, ultimately giving it a high level of recognition, simply based on who they are.
Remember, SAS 70 Type I and Type II audit prices have a wide range, so it’s probably a wise choice to pick in between, that is, a firm who is specialized, nationally known, not too large and bureaucratic, and provides you with a cost-effective, “fixed fee” that is fair, equitable, and you can live with.
Scoping the SAS 70 Audit
Numerous factors ultimately come into play for pricing considerations, but scoping is extremely important. It tells you and the CPA firm what will be tested, where it will be tested, and how long the test period will be, if a SAS 70 Type II audit is being performed. Thus, listed below are important points for discussion and consideration with any firm you enter into with regarding a SAS 70 Type I or Type II audit pricing. In short, this should be used as a baseline for discussing the scope of the audit, ultimately ensuring a fair and just fee proposal for SAS 70 Type I or Type II audits.
- Be sure to discuss if the audit will be only a general controls audit-one that covers the essential, core components of any SAS 70 audit-or will there be specific business processes or activities included in the scope. For example, if you are a third party administrator (TPA); would the scope include testing for plan administration, billing & eligibility activities, or would it just be a general controls audit? Thus, converse and come to an agreement on what additional business lines outside the scope of a general controls SAS 70 Type I or SAS 70 Type II will the audit fee ultimately include.
- Discuss where your primary facilities are located and what testing has to be done at these physical locations, if any. Why is this important? Because the CPA firm needs to know what is being conducted there from a business perspective and if it will be included in the scope.
- SAS 70 audit testing periods-If you have to have a SAS 70 Type II audit, then determine what will the test period be. Test periods generally range from six (6) to twelve (12) months. However, the longer the test period, then generally, the more the CPA firm will charge.
- Get a fixed fee-Travel, lodging, and any other out of pocket fees can add up, so it’s important to get a fixed fee; one that includes all of these expenses into the proposal. If not, then expect to pay anywhere from substantially more than the fee proposal itself because out of pocket costs can be very high. The soaring prices of gas and transportation make this point very important.
You can learn more about SAS 70 audits by visiting the AICPA, where publications can be obtained on SAS 70 auditing.
