SAS 70 | Learn About Scope, Pricing & SAS 70 Readiness Assessment

Statement on Auditing Standards No. 70 (SAS 70), was put forth in 1992 by the American Institute of Certified Public Accountants and has recently gained great prominence within the last five years. Particularly, this is due in large part to the substantial growth of federal compliance legislation, particularly Sarbanes-Oxley (SOX), along with other important provisions, such as the Gramm Leach Bliley Act (GLBA) and HIPAA. Moreover, a number of state legislative rulings advocating a wide range of privacy and security initiatives have also impacted the growth of SAS 70 examinations.

So what do you need to take from this? The growing drumbeat of regulatory compliance is here to stay and will without question continue to grow in the coming years. Additionally, SAS 70 Type I and Type II audits have become a mainstay in today’s compliance arena, thus, they’re here to stay.

Are you a service organization providing services to another entity? If so, then it’s safe to assume in the technical jargon of SAS 70 audits, you would be identified as a “service organization”. A service organization is a company that traditionally provides material outsourcing services to “user organizations”. Some common examples of a “service organization” for purposes of SAS 70 would be a payroll provider, TPA, or a data center providing managed services, just to give you a few examples. What they all have in common is their unique ability in providing services to another organization, which is often referred to as the “user organization”.

Thus, if your organization is being required to be SAS 70 Type I or Type II compliant, you will need to find out the specifics, that is, the how’s and why’s of SAS 70 compliance.

Finding your SAS 70 Provider

Once you obtain a true understanding of these above parameters, begin to look for a CPA firm that can conduct the Type I or Type II audit. Please be advised that you get what you pay for, so going for an aggressive, low cost provider may end up giving you a report of poor quality, ultimately doing more harm than any good. Remember this one important point. Because the intended users of these reports who rely on them are traditionally highly versed at examining these reports, they need to be of high quality. Thus, obtain proposals from firms that are not too small, but not too large. In essence, a national boutique firm specializing in SAS 70 Type I and Type II audits would be a great choice. Why? Their fees would be reasonable, they would conduct the audit in an efficient manner and prepare the final report in an acceptable timeframe.

Do your Due-Diligence for SAS 70 Audits

Before you sign a contract with a CPA firm, be sure to obtain at least three (3) proposals, and be very certain you converse on the following points with every firm that you are receiving a fee quote from:

• Regarding scope, is the audit going to be a general controls audit or is it going to include an examination of specific business processes? Please be advised; this is critically important as it can significantly change the fee of the audit. Many CPA firms will give you a proposal, but it may be for a straightforward, general controls only, so make sure this is discussed early on.

• In regards to pricing, is the fee a fixed fee that is, are all out of pocket and travel related expenses include in the audit fee? If not, make this a requirement. Why? Because fees that are agreed to that do not include a fixed fee provision will end up costing an additional 15% to 25% over the proposed fee. Keep this in mind; auditors need to travel, sleep in hotels and feed themselves- this can get very expensive.

• And how about the test period? If looking for a proposal for a SAS 70 Type II audit, you will need to identify and agree on the test period. SAS 70 Type II audit test periods traditionally range from six (6) to twelve (12) months; however, extenuating circumstance can result in a shorter test period. The test period is critical for identifying because it also drives prices, to a marginal degree. Think a proposal from a CPA firm for a 6 month SAS 70 Type II audit will be the same fee as a twelve month audit? Absolutely not. Again, identify the time period for testing before you receive the proposals from any firm.

• Also, inquire about SAS 70 Readiness Questionnaire forms and templates. Will your audit proposal include a fee for undergoing a comprehensive sas 70 readiness questionnaire assessment? If not, you will need to discuss this important point. For any company going through a SAS 70 Type I or Type II audit for the very first time, then a readiness is a must for ensuring a successful audit.

SAS 70 Readiness Questionnaire Forms & Templates

So, you are on your way to SAS 70 Type I or Type II compliance! Congratulations. The first step that needs to be undertaken is to complete a series of SAS 70 Readiness questionnaire forms and templates. These questionnaires will really help guide and drive the audit process for you. They are considered invaluable tools for audit preparation, and any reputable SAS 70 CPA firm will be able to provide them for you. Some firms charge a fee for conducting a SAS 70 readiness questionnaire session, while others may provide the templates for free of charge, leaving the service organization to conduct their own SAS 70 readiness. The choice is yours. Another benefit of the SAS 70 readiness is that it helps your organization identify gaps or deficiencies within your control environment that require remediation or correction before the audit begins. There’s no sense in rushing into a SAS 70 Type I or Type II audit without properly preparing for it. That’s exactly what the readiness assessment does. So, what should the SAS 70 readiness questionnaire forms and templates cover? Well, they should and need to cover all aspects of a general controls SAS 70 audit along with any specific provisions for business processes or business drivers that will be included in the scope of the audit.