SAS 70 Step by Step Process for Compliance

Performing a SAS 70 audit is a structured, multi-step process, which includes a number of predefined processes and procedures that must take place to ensure its successful and timely completion. Depending on a service organization’s needs, a SAS 70 Type II audit is generally performed for any subsequent period following the completion of a Type I. Generally, successfully completing a SAS 70 Type I and then moving towards Type II compliance for subsequent years is the most common path many service organizations choose.

Type II compliance can be dependant on a variety of circumstances, but primarily it's driven by publicly traded (i.e., SEC registered) companies having to certify on internal controls of service organizations that they are outsourcing material or significant functions to. This is required under section 404 of the Sarbanes-Oxley act, and therefore, a Type II audit is necessary for many service organizations. SAS 70 Type II compliance can be attained by following the most common approach, whereby service organizations become Type I certified, then move towards Type II compliance for subsequent years. However, due to factors such as varying financial statement reporting time periods for publicly traded corporations and a host of other issues, working immediately towards Type II compliance becomes the only option at times.

SAS 70 Type I and Type II Roadmap to Compliance encompasses the following:

• Initial discussion between service auditor and service organization for the purposes of understanding the scope, timing and final deliverables of the audit.
• Service organization successfully undertakes a service auditor SAS 70 Readiness assessment.
• Service auditor reviews, analyzes, and make comments and recommendations regarding the information obtained during the SAS 70 Readiness assessment.
• In-depth discussion ensues with service organization regarding the SAS 70 Readiness assessment.
• Service auditor and service organization collectively agree on any areas within the service organization’s control environment that require remediation prior to beginning the SAS 70 Type I or Type II fieldwork.
• Service auditor sends to client a Prepared by Client (PBC) list which consists of documents and other deliverables that must be prepared prior to commencement of the SAS 70 Type I or Type II fieldwork.
• Service auditor conducts fieldwork and holds in-depth meeting with service organization to discuss findings.
• Preparation of initial draft report begins, with collaborative effort from service organization, ultimately leading to the generation of final SAS 70 Service Auditor's Report.
• Final closing meeting between service auditor and service organization for discussing final SAS 70 Service Auditor's Report, along with management's comments for the audit, the intended user's of the audit and all other significant items that merit discussion.

Download a sample SAS 70 report to view the culmination of the audit process.