SAS 70 Audit Reports | Understanding Scope and Control Objectives

SAS 70 Type I and Type II audits can consume quite a bit of time and energy from internal resources when going through the actual audit activities.  Add to this are the issues regarding scoping of the audit, which can lead to an even large role of work to be done. What’s scope you say? Well, it’s an important component of the audit, so you’d be wise to gain a greater understanding of how it affects your audit, if you have to go through one.

Most CPA firms that conduct SAS 70 audits use a readily agreed upon, best of breed, standardized set of control objectives that clients “willingly” accept. However, depending on a companies “business process” is, the scope of the SAS 70 audit can change dramatically as can the number of control objectives that an auditor would be testing for.  Take two (2) companies that are undergoing a SAS 70, the 1. a TPA that processes medical claims and a 2. data center. Both entities would use the readily agreed upon, best of breed, standardized control objectives for laying the framework of the audit-these are the “general controls”. In short, they apply to any company going through a SAS 70. However, the difference now occurs with the specific “business process” controls, that is, the “business process” controls that the TPA will be tested for will be quite different than that of the data center.  And this my friends, can dictate to a large degree, the scope of the audit. Why? Well, depending on how deep you want to “push” to test for business process specific activities, you can really end up spending alot of time and effort.

To learn more about SAS 70, visit the official SAS 70 Resource Guide.