My company provides some services to our customers which they rely on to get their work done as a company. We recently had a customer ask us whether we had a SAS 70 audit and could they see it. In short, we do not and this is the first request we have received. I would like to hear what others have experienced with SAS 70 reports. They appear to be just a third party confirmation (or audit) that you do what you say you do (or, more accurately, what you write as your processes and procedures). Is that accurate? Is there a "standard" for how to provide services that is part of the audit, or is it only an audit of what your company does in particular?
Further, what does a SAS 70 audit cost? Who does them? Is there a "certification"? I see "SAS 70 Certified" on some websites but I can't seem to find a certifying body out there. What is the difference between Type I and Type II audits? Finally, have SAS 70's been a good selling tool with ROI for your company? I know, "the customer is always right". That means we'll probably end up doing this, but I would like to know more of the ins and outs before we just jump in and do it. Thank you.
SAS 70 for my company: is it worth it?
Answers
SAS 70 is basically an audit of your controls, very much like SOX 404 but not quite as bad. Believe there are two types: type I is where they assess your control design, type II is where they also assess whether controls are operating as designed.
Auditors of your clients love this as it is additional CYA for them. In theory and
It is very time consuming and expensive. I would not go through it if not necessary. If only one client is asking for it, I would wait to see whether there is more demand.
Lastly, I know organizations with a type II SAS 70 and their controls are not very good so, how valuable is it in reality (understanding of course perception is that it is valuable).
There are two types - Type 1 and Type 2. Type 1 is not hard and can be done in a month or less for $10K-$15K. Type 2 requires testing over a 6 month period and can cost much more. Once you get Type 2, maintaining the certification is not that hard to do. Think of who you will be selling to. A lot of larger public companies may require Type 2. If so, and you have done nothing, you are at least 6 months behind and possibly much more.
I agree with the comment that you can still have internal control issues with SAS 70 Type 2 certification. However, in some sales situations, having it or not having it can make or break a deal as the buyer may use it as a qualifier.
Shop around for the service. Lots of regional firms will do the work for a lot less than the larger firms.
Agree with the point on perception issues and that it can help land business, regardless of the true value added.
I would say though that, depending on the size of your customers, you should go with a mid to large size firm. Need some brand recognition for your auditors on this.
I had a service provider who used a firm we had never heard of and as a result we did not place much value on the SAS 70. Not saying that is fair, just how it works.
SAS 70 audits are becoming more important in a service organization, especially if you have customers who are public. If you are going to start the process, I would recommend ensuring that all of your policies/procedures/controls are documented before beginning the audit. Then start with a Type I audit. The Type I is significantly less expensive and time consuming. Use those results to improve your controls and then go with the Type II. In addition to satisfying customer needs, I think that it is a valuable exercise to ensure that controls are valid and are being followed.
Thanks for the great info so far. Now, sorry to ask for details, but how long and how costly for a small company (~50emps)? Is it bid hourly or as a project? Are there any "name brand" firms offering these or should i just look for a local provider? Much appreciated!
A Type II SAS 70 tests controls over a minimum of a 6 month period. Then the report will take a month or two to compile. In my experience, the cost for a company of your size would be $40K - $60K, depending on the number of controls being tested. I would check around for regional firms in your area. I have not had much experience with a Type I audit, but I would guess that it would cost $10K - $20K and take a month or two to complete.
I agree with Jennifer's cost estimate. Would be bid like and audit for the overall job, should not be by the hour.
Basically, from a compliance point of view, your customers may require a SAS-70 from you when you are an integrated part of their financial reporting internal control (ICFR) environment (usually an IT or transaction
If your operation cannot cause a material misstatement in their financials then you should not have an ICFR responsibility to them to evidence control performance.The touchy area is when you are part of their SDLC or IT change
If not, call the customer and get a better definition and explanation of why they need this testing and documentation. They may just be looking for an over-kill on the process ICFR documentation.
Jane, first, SAS70 controls audits are dependent on the services you provide, and thus the audit costs can vary widely. (By the way SAS70 is changing to SSAE 16). For example, in a prior company I led as
In contrast, one of our portfolio companies in our Private Equity group, is a managed hosting services company - several public company clients require they complete a SAS70 audit and issue a Type II report at least annually, as these clients have material software applications running in our data center. Given the limited scope the audit costs are nominal (much, much less than the lowest quotes by others here.)
Besides cost, I also believe that any company providing mission critical services to their clients will benefit from committing to a SAS70 audit as it helps improve the controls and assurances. In addition, I have seen insurance discounts offered for E&O and D&O insurance based upon the lower perceived risks. Completing a SAS70 readiness assessment is also a great way to determine if you're really protecting your client's interests, or aspiring to providing quality, reliable, secure services.
I suggest you shop the audit - check out Schramm & Company, a small firm but effective.
Keith
Hi, Jane. Here are a couple of good websites with foundational materials http: // www. ssae-16. com/ and http: // en.wikipedia.org /wiki /SAS70
Keith is right - it really depends upon the service you provide. In some circumstances, you may be able to rely upon your software vendors' SAS 70 certification or other audit certification. For example, an outsource
Jane,
Having performed both SAS70 and SOX audits, I thought I would try to address some your questions as succinctly as possible:
>They appear to be just a third party confirmation (or audit) that you do what >you say you do (or, more accurately, what you write as your processes and >procedures). Is that accurate?
Yes, typically issued by a
>Is there a "standard" for how to provide services that is part of the audit, >or is it only an audit of what your company does in particular?
It is a test of your controls, not unlike SOX but may cover areas not covered by SOX. The testing methods may be different and the controls may be different. One is not necessarily easier than the other.
>what does a SAS 70 audit cost? Who does them? Is there a "certification"?
Unfortunately, the cost is something you negotiate with your CPA firm. The only "certification" you get is the final report from your CPA firm. I think to see a "certification" on a website is a bit mis-leading.
>What is the difference between Type I and Type II audits?
Without going to a lot of detail, for a SAS70 to be of any value to a client it MUST be a Type II. Type II is more detailed, Type I is to general
>have SAS 70's been a good selling tool with ROI for your company?
Good question. Unfortunately, it becomes a matter of you company's strategy. If you want to grow and expand your services to publicly traded companies, you would have better luck with a Type II SAS 70 in place. As a potential client (publicly, traded), when evaluating your services if they don't see a Type II SAS70, they may conclude that you're too much of a "small fry" i.e. don't service other large companies. I guess it becomes a "catch-22". You need it to get large clients, but having it doesn't mean they will come knocking on your door.
Hope this helps.
It should be noted here that SAS70 Type II certifications are going away and being replaced by SSAE16 (SOC 1,2, and 3). There is a presentation on this transition posted as a resource on Proformative. https://www.proformative.com/og/resource/general-content/sas-70-making-transition-ssae-16