SAS 70 for my company: is it worth it?

SAS 70 is basically an audit of your controls, very much like SOX 404 but not quite as bad. Believe there are two types: type I is where they assess your control design, type II is where they also assess whether controls are operating as designed.

Auditors of your clients love this as it is additional CYA for them. In theory and auditor can reduce testing if a client has a service provider that has a SAS 70. However, I have never seen auditors actually lower fees because of it.

It is very time consuming and expensive. I would not go through it if not necessary. If only one client is asking for it, I would wait to see whether there is more demand.

Lastly, I know organizations with a type II SAS 70 and their controls are not very good so, how valuable is it in reality (understanding of course perception is that it is valuable).

SAS 70 audits are becoming more important in a service organization, especially if you have customers who are public. If you are going to start the process, I would recommend ensuring that all of your policies/procedures/controls are documented before beginning the audit. Then start with a Type I audit. The Type I is significantly less expensive and time consuming. Use those results to improve your controls and then go with the Type II. In addition to satisfying customer needs, I think that it is a valuable exercise to ensure that controls are valid and are being followed.

Thanks for the great info so far. Now, sorry to ask for details, but how long and how costly for a small company (~50emps)? Is it bid hourly or as a project? Are there any "name brand" firms offering these or should i just look for a local provider? Much appreciated!

Basically, from a compliance point of view, your customers may require a SAS-70 from you when you are an integrated part of their financial reporting internal control (ICFR) environment (usually an IT or transaction risk occurs under your control). Sometimes the customer is just throwing a dead cat over the wall and trying to say that your operation performs internal controls that mitigate their process risk and therefore - they are compliant, and your SAS-70 evidences that.

If your operation cannot cause a material misstatement in their financials then you should not have an ICFR responsibility to them to evidence control performance.The touchy area is when you are part of their SDLC or IT change management process, or if you can change financial transactions (add, change, or delete).

If not, call the customer and get a better definition and explanation of why they need this testing and documentation. They may just be looking for an over-kill on the process ICFR documentation.

Jane, first, SAS70 controls audits are dependent on the services you provide, and thus the audit costs can vary widely. (By the way SAS70 is changing to SSAE 16). For example, in a prior company I led as CFO, we provided SaaS-based invoice, credit and collections services for several large public companies - these clients required we provide a SAS70 audit Type II report, which due to the financial exposure and complexity of services was a costly endeavor (6 figures.)

In contrast, one of our portfolio companies in our Private Equity group, is a managed hosting services company - several public company clients require they complete a SAS70 audit and issue a Type II report at least annually, as these clients have material software applications running in our data center. Given the limited scope the audit costs are nominal (much, much less than the lowest quotes by others here.)

Besides cost, I also believe that any company providing mission critical services to their clients will benefit from committing to a SAS70 audit as it helps improve the controls and assurances. In addition, I have seen insurance discounts offered for E&O and D&O insurance based upon the lower perceived risks. Completing a SAS70 readiness assessment is also a great way to determine if you're really protecting your client's interests, or aspiring to providing quality, reliable, secure services.

I suggest you shop the audit - check out Schramm & Company, a small firm but effective.

Keith

Hi, Jane. Here are a couple of good websites with foundational materials http: // www. ssae-16. com/ and http: // en.wikipedia.org /wiki /SAS70

Keith is right - it really depends upon the service you provide. In some circumstances, you may be able to rely upon your software vendors' SAS 70 certification or other audit certification. For example, an outsource accounting firm I used to work for ensured that our underlying software vendors for accounting and equity compensation administration were SAS 70 Type II certified and when asked by our accounting customers would provide them with the vendors' certifications. That, along with a statement that we were in the process of obtaining our certification was always acceptable to the auditors. Of course, our customers were non-public companies and micro-cap public companies and this response may not have been accepted by auditors for large public companies.

Jane,
Having performed both SAS70 and SOX audits, I thought I would try to address some your questions as succinctly as possible:

>They appear to be just a third party confirmation (or audit) that you do what >you say you do (or, more accurately, what you write as your processes and >procedures). Is that accurate?
Yes, typically issued by a CPA or CPA firm

>Is there a "standard" for how to provide services that is part of the audit, >or is it only an audit of what your company does in particular?
It is a test of your controls, not unlike SOX but may cover areas not covered by SOX. The testing methods may be different and the controls may be different. One is not necessarily easier than the other.

>what does a SAS 70 audit cost? Who does them? Is there a "certification"?
Unfortunately, the cost is something you negotiate with your CPA firm. The only "certification" you get is the final report from your CPA firm. I think to see a "certification" on a website is a bit mis-leading.

>What is the difference between Type I and Type II audits?
Without going to a lot of detail, for a SAS70 to be of any value to a client it MUST be a Type II. Type II is more detailed, Type I is to general

>have SAS 70's been a good selling tool with ROI for your company?
Good question. Unfortunately, it becomes a matter of you company's strategy. If you want to grow and expand your services to publicly traded companies, you would have better luck with a Type II SAS 70 in place. As a potential client (publicly, traded), when evaluating your services if they don't see a Type II SAS70, they may conclude that you're too much of a "small fry" i.e. don't service other large companies. I guess it becomes a "catch-22". You need it to get large clients, but having it doesn't mean they will come knocking on your door.

Hope this helps.