SAS 70 is an internationally recognized third-party assurance audit designed for service organizations. It has become the most widely accepted compliance initiative that provides service organizations a benchmark to compare their internal controls and processes against industry best practices.
Statement on Auditing Standards No. 70 (SAS 70) was originally created in 1992 and over the past five to ten years become globally recognized as one of the highest forms of third-party assurance.
Why do Service Organizations Obtain a SAS 70 Audit?
There are many reasons why a service organization may decide to obtain a SAS 70 audit, however, due to the increased regulatory oversight of the Sarbanes-Oxley act; many customers are now requiring their Service Organization to obtain a SAS 70 audit.
Why Organizations Become SAS 70 Compliant.
Outside of customer requests, our clients choose to obtain a SAS 70 audit report to provide their customers with confidence and to differentiate them from the competition. Additionally, many service organizations are audited by several companies during the course of the year. A SAS 70 audit can eliminate additional customer audits and self-assessment questionnaires.
SAS 70 Audit Services:
- SAS 70 Readiness Assessment – is an audit designed for organizations preparing for their first SAS 70 audit. Organizations who have not formally evaluated their internal controls often start with a SAS 70 Readiness Assessment.
- SAS 70 Type I – provides limited assurance and used to report on the design of controls as of a point in time. Organizations who have policies and procedures in place but want to gain a better understanding of the SAS 70 audit requirements often start with a SAS 70 Type I audit prior to undergoing the SAS 70 Type II audit.
- SAS 70 Type II – provides the highest level of assurance for SAS 70 audits and reports on the service organizations controls and operating effectiveness over a period of time.
- How does my company prepare for a SAS 70 audit?
Many organizations that are going through a SAS 70 audit for the first time are overwhelmed or just may not have the time to research and implement the proper internal controls and processes that are normally evaluated during a SAS 70 audit. We provide our clients with 2 different options to this approach.
- The first option is designed for clients who either do not have the resources, time or maybe the internal resources that can be evaluated their internal controls. For this option, we offer our clients onsite consulting to assist your organization with the understanding of a SAS 70 audit, the requirements as they are related to your industry and develop a roadmap to ensure a successful SAS 70 audit.
- The second option is clients that are just looking for some guidance and wish to prepare for the SAS 70 audit themselves. Normally these are clients that have been through internal controls audits or have on-site resources with the understanding or audit and controls. For this approach, we simply hold phone conferences and provide our clients with an audit framework that they can easily follow to help ensure the appropriate foundation is set to start the SAS 70 audit process.
- How much does a SAS 70 audit cost?
The cost of a SAS 70 audit varies for each client because all SAS 70 audits are different from the next. However some of the factors that should be considered in the price of a SAS 70 audit is the size of your organization, the complexity of the information systems under review, the type of services offered and possibly the location of your business. Contact us for a quick and customize SAS 70 audit quote.
- How much time is required from the company's staff to complete a SAS 70 audit?
Preparation for first time SAS 70 audits
- The required amount of time for your internal resources can significantly vary based on the size of your organization and the preparedness of your internal policies and procedures. A company that has all of these processes documented and mapped out should be able to efficiently communicate their services their auditors. Some companies choose to hire a consultant to assist in the preparation of their SAS 70 audit and some choose to prepare internally (see FAQ 1).
Resource time for a required during the SAS 70 Type 1 and Type 2 audits.
- SAS 70 Type 1: A company can expect that a lead resource over each relevant business unit (System Admin, Network Administrator, Lead Developer, Human Resources, etc) should expect to devote 5 to 10 hours preparing for and working with the auditors. This includes documentation gathering, responding to questionnaires and holding interviews/walkthroughs with your auditors.
- SAS 70 Type 2: The additional time for a SAS 70 Type 2 audit is mainly allocated for preparing documentation request that your auditor audit selections. Normally this documentation preparation can be allocated to a variety of resources from specific business units. A SAS 70 type 2 audit normally will require 50% more time than a Type 1 audit from your internal resources.
- Key Success Factors for an efficient SAS 70 audit include but are not limited to the following:
- A project plan
- Designation of a SAS 70 project lead
- Scheduling of required resources (members of business units)
- Utilization of experience and educated auditors
- How long does it take to complete a SAS 70 audit?
Timing varies depending on a number of factors included the preparedness of your organization, size and type of services under review. However, for most organizations that operate out of a centralized location, we tell our clients that our audit process from the time we hold a kickoff call to the time they receive their audit report is no longer than 8 weeks in duration. Of those 8 weeks normally we are only on site for 1 or 2 weeks. Please refer to our methodologies for an explanation of the SAS 70 audit process and timeline.
- How often do I have a SAS 70 audit report?
Generally, your clients will want a completed report on an annual basis. Some clients decide to have a report completed every six months to coincide with their multitude of clients' financial reporting year end. It is generally cost-effective to perform your audit on an annual basis, but if you need semi-annual audits this can be provided for a marginal increase of fees.
- Do I need a SAS 70 Type 1 or Type 2 audit?
Generally, if your clients are publically traded companies they will require your organizations to have a Type 2 audit completed at least annually. However, some private organizations will accept a Type 1 audit and many clients will complete a Type 1 SAS 70 audit to help understand their control and provide third-party assurance to their clients.
- What is the difference between a SAS 70 Type 1 and Type 2 audit?
Type 1: SAS 70 Type 1 is designed to provide an overview of Service Organization descriptions of internal controls and processes relevant to their customers. The audit is helpful for Service Organizations to gain an understanding of the control and processes that are designed at the Service Organization. A SAS 70 Type 1 audit has an audit opinion and a description of services relevant to the services under review as of a point in time. What does this mean? An Independent Auditor provides an audit opinion describing that you have controls in place that are designed to meet the objectives of your service.
Type 2: SAS 70 Type 2 also provides a description of internal controls and processes relevant to their customers however the auditor also tests these controls over a period of time to verify that the internal controls and process actually occurring as the Service Organization intended. How is this different from a Type 2 report? Since your auditors provide an Opinion about the actual operation of controls, third parties are more likely to accept a Type 2 report versus a Type 1 report. What is the composition of a SAS 70 audit reports? There are 4 possible section of a SAS 70 audit report and included the following:
Section 1: (Audit Opinion)
A CPA audit opinion is written with each SAS 70 audit report to clearly explain the scope of the services under review and the overall outcome of the type of SAS 70 report issued. The table below illustrates the components covered in the two different types of SAS 70 audit reports.
Opinion Type 1 Report Type 2 Report Whether the service organization's description of its controls presents fairly, in all material respects, the relevant aspects of the service organization's controls that had been place in operation as of a specific date. Included Included Whether the controls were suitably designed to achieve specified control objectives. Included Included Whether the controls that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives were achieved during the period specified. Not Included Included
Section 2: (Description of Services/Controls)
Within this section a description of the companies services under review is included and a detailed explanation about companies policies and procedures in regard to their service offering. We provide enough information for your clients to understand the important controls that are in place, but not information your proprietary operations. Section 2 normally covers the following areas
- Overview of Operations
- Control Environment
- Risk Assessment
- Information System (includes relevant application)
- Control Objectives and Related Controls
- User Control Considerations
Section 3: (Applicable for Type 2 reports)
- Information Provided by the Service Auditor
- Control Objectives, Related Controls and Tests of Operating Effectiveness
Section 4: Other Information Provided by the Service Organization
- Information that may be relevant to customers but was outside the scope of the SAS 70 audit.
- Why is a SAS 70 report required?
The big increase in demand for SAS 70 audit reports started after the PCAOB indicated that public corporations auditors could rely on a SAS 70 Type II audit during the annual assessment of management internal controls. Since this time, SAS 70 has became an internationally recognized standard and is various other uses, but specifically, customers utilize the fact that they have a SAS 70 audit report has a method of establishing that they are a credible organization.
- Is the SAS 70 audit standard changing?
Changes to the SAS 70 audit standard are likely to occur something during the summer of 2011. The specific requirements have not been formally communicated by the AICPA, but it is believed that some of the current standards in ISAE 3402 will be adopted in the new SAS 70 audit standard.