White Papers provided by the SAS 70 Resource Guide

SAS 70 Audits that are Cost Effective for Your Organization

Strategies for Assisting Service Organizations

In an ever increasing regulatory landscape, audits, be it financial, operational or technology driven SAS 70 audits, can result in excessive fees and wasteful man-hours for your organization, but it doesn’t have to be that way. From Sarbanes-Oxley, HIPAA, and Gramm-Leach Bliley (GLBA), just to name a few, the health and benefits industry is feeling the financial burden and pressure in meeting today's compliance rulings. Take note, as there are a number of proactive measures your organization can do in helping reduce fees, create efficiencies of scale, ultimately, gaining value out of the audit process.

Create a Request for Proposal (RFP) that works for your organization

If your organization is considering putting an audit out for "bid", or a first-time audit, such as a SAS 70 audit is needed, it's time to create an RFP that gives you answers to how efficient and cost-effective auditors can be. Sure, you need to include the traditional questions, such as firm experience, engagement team credentials and firm licensure. But leaking beneath these topics are a number of important questions that should be asked, and ultimately, included in your RFP:

1. Please describe your firm’s pricing? Do you bill hourly or can you provide a fixed fee, that includes all travel, lodging, and any other out of pocket expenses.
2. Please provide an exact “roadmap” from beginning to end, including all major milestones, activities, and deliverable for the audit process.
3. Please describe in detail what pre-planning audit methodologies you will use to help identify our internal resources, time commitments, and any other additional resources you may require from us.
4. Please describe what pre-assessment or "readiness" questionnaires, templates, or spreadsheets you will provide us with so we can give you as much information you need before coming on-site to conduct fieldwork.
5. Please describe your firm’s methodology in regards to defining population size and choosing the sampling of that population for testing. Take note: This answer will largely dictate time requirements on an audit as auditors have very different rules and thoughts on "population" and "sample size".

Identify, Train and Retain Internal Personnel

The success of the audit is highly dependant on the skill-sets and audit "know-how" of your internal personnel that will be working closely with the auditors. With that in mind, once the audit you are undergoing has been identified, its time to pick your best and brightest for creating an efficient, time-saving audit. Use this helpful checklist to determine the right personnel:

1. Start by assessing your organization's personnel's skill-sets in regards to any previous exposure with audits and also assess their current workload capacity.
2. Begin a process whereby communication is undertaken immediately between your organization's staff and the external auditors. Procrastination can severely hamper audit efficiencies.
3. Because an audit is typically looked upon as additional work outside the scope of an employee's daily duties, take time to thank them and also inform their peers and supervisors that these employees will be undertaking extra tasks in the coming weeks and months. Managing workloads and expectations for employees during an audit is crucial to not only the success of the audit itself, but to your organization as a whole.

Pre-Plan, Participate and be Proactive

Pre-planning is not just for the auditors, but for your internal personnel also. Make contact early and often with the auditors assigned to your audit, ask them specifically about "hot button" items such as population and sample size, how they would like to see documentation (hard copy or electronic), what is the exact scope of the audit and what other suggestions, comments, recommendations can be undertaken and resolved before the audit. Take note, any discrepancies or misunderstandings during this initial period of scoping and pre-planning should be brought to the attention of management internally, and the lead engagement personnel for the auditors. By avoiding any missteps early, you are laying the groundwork for an efficient and successful audit.

Lastly, audits should be looked upon as a useful, proactive exercise that helps meet compliance mandates, reveal any weaknesses within your organization’s control structure, along with better preparing for next year's audit. As with SAS 70 audits, auditors will commonly issue "management’s comments"; suggestions and recommendations for an organization to improve upon their internal control structure. Don't ignore these comments, rather, take them to heart and implement the recommendations given to you from your auditor. In the end, it will create a stronger internal control framework within your organization, while also meeting the suggestions put forth by your auditors, which they may ultimately test in subsequent years. In short, in any audit, an organization should take the time to ask themselves the following questions:

1. What have we learned from this year's audit that can help improve our organization as a whole?
2. Where can we create efficiencies for next year's audit?
3. Did your internal personnel perform up to expectations or do we need to make changes for next year?
4. From a cost perspective, did the audit meet expectations or should our organization re-visit the fee?

Putting together an effective SAS 70 roadmap for compliance will have lasting effects on creating an efficient and cost-effective audit. Additionally, readers can download a sample SAS 70 to view the report in its entirety.