SAS 70 – Comprehensive Guide for audit preparation and finishing


The SAS 70 auditing standard, set out in 1992 by the American Institute of Certified Public Accountants, has gained great prominence and popularity in recent years. This is due in large part to the rapid growth regulatory compliance legislation, in particular the Sarbanes-Oxley Act of 2002 (SOX), along with other notable provisions, such as HIPAA and Gramm Leach Bliley (GLBA). . Also sprinkled on these laws are numerous state legislative rulings advocating a wide range of privacy and security measures have also affected the growth of SAS 70 Type I and Type II audits

What is important to note is twofold: First and foremost, regulatory compliance and corporate governance are here to stay and will continue to aggressively grow in the coming years. Second, the statement on auditing standards no. 70, simply known as SAS 70 to many, has become a permanent fixture in a growing line game.

SAS 70 for Service Organizations

If you are an organization providing services to another entity, then it is safe to assume that in the technical jargon SAS 70 audits, would be defined as a service provider. In fact, this is a company that usually provides substantial outsourcing upstream, individual institutions. Common examples of service for the purpose of SAS 70 was a payroll company, a third party administrator (TPA), co-location or data provide operational services, or medical billing processor unit, just to name a few. Again, what they have in common is their ability to provide needed services to other companies.

SAS 70 Compliance-Where to start?

If an agency is being asked to be SAS 70 compliant, you need to find out what the long-term unit to ask you to be compliant. Is this a one time event only? Are they asking for an annual SAS 70 compliance? You need to be SAS 70 Type II compliant for initial review or will a Type I audit suffice?

When you have a strong understanding of these above factors, you can start looking for qualified acquisition of its review. Buyer beware. You get what you pay for, so go for the low cost may very well end up giving you a report on the poor, which could ultimately do more harm than good. And why is that? Because the proposed users of these reports that rely on them are usually well trained to read and digest these reports, so they better be high quality. Get suggestions from businesses that are not too small, not too large. A national boutique CPA firm specializing in SAS 70 audits would be a good choice. Since fees were reasonable, they would conduct an audit efficiently and prepare the final report in an acceptable timeframe.

SAS 70 Hot Button Issues

But before you sign on the dotted line, make sure you get at least three suggestions and be sure to discuss the following points with every CPA business that you are receiving a fee Quote from:

Scope -is audits to be general control review, or is it going to include an examination of specific business processes or business drivers. This is important as it can significantly change the charge of the review. Many CPA companies will give you a proposal, but it may be a simple, general supervision only, so make sure this is discussed.

pricing -Is charge a fixed fee that is all out of pocket and move resulting in the audit fee. If not, make this a requirement. Why? Because charges are adopted which are not fixed fee provision will end up costing an additional 10% to 20% of the proposed fee. Remember, auditors travel, sleep in hotels and feed their bodies, and this can get expensive.

TEST period If looking for a proposal for a SAS 70 Type II audit, you will need to identify and adopt the test. SAS 70 Type II audit test period ranged generally from six (6) to twelve (12) months; however, extenuating circumstances can lead to shorter cycle. The test period is important to recognize that it also drives prices, the marginal extent. Think proposal cost the company for 6 months, SAS 70 Type II audit will be the same fee annual review? Not at all. Again, identify the time period for testing before you get suggestions from any company.

SAS 70 readiness QUESTIONNARE -Does the proposal review include a fee for undergoing a comprehensive SAS 70 readiness questionnaire assessment? If not, you need to discuss this important topic. For any organization to go through SAS 70 for the first time, the will is a must to ensure a successful review.

I found my company, now where do I begin?

So, you’re bound to SAS 70 Type I or Type II compliance. The first step that needs to take place is a complete range of SAS 70 readiness questionnaire forms and templates. These questionnaires will help drive and lead the audit. They are considered an invaluable tool in preparing the review, and any reputable SAS 70 CPA firms will be able to provide them for you. Some companies charge a fee for conducting SAS 70 readiness questionnaire session, while others may see templates for free, so that customer service to their own SAS 70 readiness. The choice is yours. Another benefit of SAS 70 readiness is that it helps organizations find weaknesses or failures within the control environment that require changes or improvements before the audit begins. There is no sense in rushing SAS 70 Type I or Type II audit without properly preparing for it. That is exactly what makes the food prepared. So, what should be SAS 70 readiness questionnaire forms and templates cover? They should cover all aspects of the general controls SAS 70 review and any special provisions for business processes or business drivers that will be included in the scope of the audit. Below are the general control area should be covered in readiness phase. Please note that not all areas can refer to the creation of

planning and management-Executive Tone

Organization and Administration-Human Resources

Systems Development Life Cycle

Incident Management

Change Management

Logical Security

Network Security

Physical Security

Environmental Security

Computer Functions

Business Continuity and Disaster Recovery (This is optional, as SAS 70 guidelines states that “programs” are not regulated targets.)

For more information on getting SAS 70 readiness questionnaire forms and templates, visit SAS 70 Resource Guide You can get SAS 70 sample reports too.


Leave a Reply

Your email address will not be published. Required fields are marked *