SAS 70 Audits | Understanding Audit Scope

SAS 70 audits can be considered an arduous undertaking for many service organizations (i.e, third party providers and outsourcing providers) to say the least. Add to the mix the many other moving parts of this audit, and it can quickly consume and overwhelm an organization.

You can mitigate and eliminate these headaches by first and foremost understanding the scope of a SAS 70 audit. Scope is a critical factor for SAS 70 audits; it helps determine many variables and parameters for the audit itself.  Use this handy reference/checklist in helping to determine scope for the audit when talking to a CPA firm for proposals. Share this information with them for helping obtain a more accurate fee.

1. Who is asking my organization to be SAS 70 compliant and are they requesting a SAS 70 Type I or a SAS 70 Type II audit?

2. Is the audit a general controls audit or are their specific provisions that are being requested for the audit, such as certain business processes. (Note: This is an important question because the more the audit delves into specific business process areas, the more time consuming and expensive the audit will be.)  Many firms may give you a proposal that is simply bases on a “General Controls SAS 70″, that is, an audit that essentially only covers the general baseline controls.

3.What physical locations will be included in the scope of the audit, such as data centers our company uses along with other offices (if any) outside from our main corporate or regional office.

4. If a SAS 70 Type II audit, what will the testing period be for the SAS 70 audit?

If you have discussed, identified, and agreed on the above points as an organization, then you are headed towards the right direction for the SAS 70 audit process.

To learn more about SAS 70 or to receive a sample SAS 70 audit, visit the official SAS 70 Resource Guide.