1.866.669.6561

check

SAS 70 FAQ

How does my company prepare for a SAS 70 audit?

How much does a SAS 70 audit cost?

How much time is required from the company’s staff to complete a SAS 70 audit?

How long does it take to complete a SAS 70 audit?

How often do I have a SAS 70 audit report?

Do I need a SAS 70 Type 1 or Type 2 audit?

What is the difference between a SAS 70 Type 1 and Type 2 audit?

Why is a SAS 70 report required?

Is the SAS 70 audit standard changing?

 

1.    How does my company prepare for a SAS 70 audit?

a. Many organizations that are going through a SAS 70 audit for the first time are overwhelmed or just may not have the time to research and implement the proper internal controls and processes that are normally evaluated during a SAS 70 audit.  We provide our clients with 2 different options to this approach.

1) The first option is designed for clients who either do not have the resources, time or maybe the internal resources that can evaluated their internal controls.  For this option we offer our clients onsite consulting to assist your organization with the understanding of a SAS 70 audit, the requirements as they are related to your industry and develop a road map to ensure a successful SAS 70 audit.

2) The second option is clients that are just looking for some guidance and wish to prepare for the SAS 70 audit themselves.  Normally these are clients that have been through internal controls audits or have onsite resources with the understanding or audit and controls.  For this approach we simply hold phone conferences and provide our clients with an audit framework that they can easily follow to help ensure the appropriate foundation is set to start the SAS 70 audit process.

 

2. How much does a SAS 70 audit cost?

a. The cost of a SAS 70 audit varies for each client because all SAS 70 audits are different from the next.  However some of the factors that should be considered in the price of a SAS 70 audit is the size of your organization, the complexity of the information systems under review, the type of services offered and possibly the location of your business.  Contact us for a quick and customize SAS 70 audit quote.

 

3. How much time is required from the company’s staff to complete a SAS 70 audit?

a.    Preparation for first time SAS 70 audits

i.    The required amount of time for your internal resources can significantly vary based on the size of your organization and the preparedness of your internal policies and procedures.  A company that has all of these processes documented and mapped out should be able to efficiently communicate their services their auditors.  Some companies choose to hire a consultant to assist in the preparation of their SAS 70 audit and some choose to prepare internally (see FAQ 1).

b.    Resource time for a required during the SAS 70 Type 1 and Type 2 audits.

i.    SAS 70 Type 1:  A company can expect that a lead resource over each relevant business unit (System Admin, Network Administrator, Lead Developer, Human Resources, etc) should expect to devote 5 to 10 hours preparing for and working with the auditors.  This includes documentation gathering, responding to questionnaires and holding interviews/walkthroughs with your auditors.

ii.    SAS 70 Type 2:  The additional time for a SAS 70 Type 2 audit is mainly allocated for preparing documentation request that your auditor audit selections.  Normally this documentation preparation can be allocated to a variety of resources from specific business units.  A SAS 70 type 2 audit normally will require 50% more time than a Type 1 audit from your internal resources.

iii.    Key Success Factors for an efficient SAS 70 audit include but are not limited to the following:

1.    A project plan

2.    Designation of a SAS 70 project lead

3.    Scheduling of required resources (members of business units)

4.    Utilization of experience and educated auditors

 

4.    How long does it take to complete a SAS 70 audit?

a.    Timing varies depending on a number of factors included the preparedness of your organization, size and type of services under review.   However for most organizations that operate out of a centralize location we tell our clients that our audit process from the time we hold a kickoff call to the time they receive their audit report is no longer than 8 weeks in duration.  Of those 8 weeks normally we are only onsite for 1 or 2 weeks.  Please refer to our methodologies for an explanation of the SAS 70 audit process and timeline.

 

5.    How often do I have a SAS 70 audit report?

a.    Generally your clients will want a completed report on an annually basis.  Some clients decide to have a report completed every six months to coincide with their multiple of their clients financial reporting year end.  It is generally cost effective to perform your audit on an annual basis, but if you need semi-annual audits this can be provided for a marginal increase of fees.

 

6.    Do I need a SAS 70 Type 1 or Type 2 audit?

a.    Generally if your clients are publically traded companies they will require your organizations to have a Type 2 audit completed at least annually.  However some private organizations will accept a Type 1 audit and many clients will complete a Type 1 SAS 70 audit to help understand their control and provide third party assurance to their clients.

 

7. What is the difference between a SAS 70 Type 1 and Type 2 audit?

Type 1: SAS 70 Type 1 is designed to provide an overview of Service Organizations description of internal controls and processes relevant to their customers. The audit is helpful for Service Organizations to gain an understanding of the control and processes that are designed at the Service Organization. A SAS 70 Type 1 audit has an audit opinion and a description of services relevant to the services under review as of a point in time. What does this mean? An Independent Auditor provides an audit opinion describing that you have controls in place that are designed to meet the objectives of your service.

Type 2: SAS 70 Type 2 also provides a description of internal controls and processes relevant to their customers however the auditor also tests these controls over a period of time to verify that the internal controls and process actually occurring as the Service Organization intended. How is this different from a Type 2 report? Since your auditors provide an Opinion about the actual operation of controls, third parties are more likely to accept a Type 2 report verses a Type 1 report. What is the composition of a SAS 70 audit reports? There are 4 possible section of a SAS 70 audit report and included the following:

a. Section 1: (Audit Opinion)

i. A CPA audit opinion is written with each SAS 70 audit report to clearly explain the scope of the services under review and the overall outcome of the type of SAS 70 report issued. The table below illustrates the components covered in the two different types of SAS 70 audit reports.

Opinion Type 1 Report Type 2 Report
Whether the service organization’s description of its controls presents fairly, in all material respects, the relevant aspects of the service organization’s controls that had been place in operation as of a specific date. Included Included
Whether the controls were suitably designed to achieve specified control objectives. Included Included
Whether the controls that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives were achieved during the period specified. Not Included Included

b. Section 2: (Description of Services/Controls)

i. Within this section a description of the companies services under review is included and a detailed explanation about companies policies and procedures in regard to their service offering. We provide enough information for your clients to understand the important controls that are in place, but not information your proprietary operations. Section 2 normally covers the following areas

1. Overview of Operations

2. Control Environment

3. Risk Assessment

4. Monitoring

5. Communication

6. Information System (includes relevant application)

7. Control Objectives and Related Controls

8. User Control Considerations

c. Section 3: (Applicable for Type 2 reports)

i. Information Provided by the Service Auditor

1. Control Objectives, Related Controls and Tests of Operating Effectiveness

d. Section 4: Other Information Provided by the Service Organization

1. Information that may be relevant to customers but was outside the scope of the SAS 70 audit.

 

8. Why is a SAS 70 report required?

a. The big increase in demand for SAS 70 audit reports started after the PCAOB indicated that public corporations auditors could rely on a SAS 70 Type II audit during the annual assessment of management internal controls.  Since this time, SAS 70 has became an internationally recognized standard and is various other uses, but specifically customers utilize the fact that they have a SAS 70 audit report has a method of establishing that they are a credible organization.

 

9. Is the SAS 70 audit standard changing?

a. Changes to the SAS 70 audit standard are likely to occur something during the summer of 2011.  The specific requirements have not been formally communicated by the AICPA, but it is believed that some of the current standards in ISAE 3402 will be adopted in the new SAS 70 audit standard.  Visit our Blog for more information about the SAS 70 audit standard changing.

More Information