SAS 70 Services

What is SAS70?

The SAS 70 is an internationally recognized auditing standard that ensures that a service organization has been through an in-depth audit of their control activities (such as safeguards on information technology). This is especially important in cases where data is regulated and/or sensitive (such as in HIPAA or Sarbanes-Oxley compliance) – where it is essential to know that organizations managing this data have detailed and well-documented controls in place that preserve the safety and privacy of data being stored, processed and transmitted.

Bottom line: Passing a SAS 70 audit is essential for compliance with regulatory requirements. But there’s more… Think beyond legalities. If you own a company that sells outsourced services that can significantly affect the financial health of client companies (such as payroll services, data management, or claims processing), getting a clean bill of health from a SAS 70 audit sends a strong signal of quality and trustworthiness to your clients. The audit declares we have all the controls and safeguards needed to preserve the security, integrity and quality of the information we manage. Trust us with yours.”

Think of the SAS 70 as your company’s “Best Practices” Now sit on the other side of the table. If your company uses outside vendors, a SAS 70 audit confirms that these companies are handling your most sensitive and valuable information have the procedures and equipment in place to give you the faith and assurance that data storage, firewall configuration, database access, data transmissions, backup/recovery, access controls and other systems are up to date and appropriate.

Are you ready for SAS 70?

Knowing how much extra value and assurance a SAS 70 audit can deliver, many clients find it makes sense to take steps to ensure a more successful outcome, including hiring experts who are skilled in helping companies be more thorough and thoughtful in how they approach their audits.

Preparing for a SAS 70 audit is a matter of clear thinking and smart planning. Work with a consulting company such as ECOM to dig into areas such as incident response programs, change management processes and how vendors are monitored and managed in advance of the actual audit in order to identify and resolve questions and problems.

Type I and Type II SAS 70 audit differences

Type 1 SAS 70 audits opine on controls that are in place as of a date in time. The opinion deals with the fairness of presentation of the controls and the design of the controls in terms of their ability to meet defined control objectives. Since these reports only provide assurance over a single day, they are of limited value to third parties.

Type 2 SAS 70 audits opine on controls that were in place over a period of time, which is typically a period of six months or more. The opinion deals with the fairness of presentation of the controls, the design of the controls with regard to their ability to meet defined control objectives, and the operational effectiveness of those controls over the defined period. Third parties are better able to rely on these reports because a verification is provided regarding these matters for a substantial period of time.

ECOM’s SAS 70 Typical Engagement Approach and Methodology

ECOM provides an end to end certification process for SAS 70. After the initial consultation to define the needs of the service organization, agree on project scope, and finalize the terms of our services, a formalized methodology will be used to complete the SAS 70 engagement. Through the consistency of this methodology, we are able to achieve great efficiency and limit the disruption to the service organizations’ operations. The following project stages are used for each SAS 70 audit:

1. Planning and Readiness Assessment
• Define expectations and project roles.
• Preliminary interviews / questionnaires conducted to gain understanding of requirements.
• Client information request list prepared and distributed.
• Analysis of client-prepared information performed and client feedback provided.
• Project timeline (including estimates of client hours) / plan created and modifications made based on client discussions.

2. Identification of Controls
• Control objectives and activities written through collaboration of our team and client management.
• Planned testing procedures submitted to client for each control activity.
• Discussion regarding content of introductory sections of SAS 70 report.Key Steps in SAS 70 Audit Proc

3. Testing of Controls / Fieldwork
• Kickoff meeting conducted with all stakeholders.
• Audit inquiries and walkthroughs performed by audit team to confirm understanding based on control objectives.
• Testing procedures finalized and reviewed by client personnel to determine feasibility.
• Audit team performs testing of each control activity to assess operating effectiveness during test period.
• Test results communicated and exceptions are resolved, if possible.
• Closing meeting conducted to finalize project results, timing of report issuance, and discuss management recommendations.

4. Reporting
• SAS 70 audit report is drafted through inputs from both the audit team and client management.
• Engagement finalization tasks performed by audit team: final work paper review, draft report review, and any necessary modifications.

• Client approves final version, audit quality assurance performed, and report is issued.

5. Ongoing Support
• Participation in meetings/ answer questions of user organizations and their auditors
• Consultation with management regarding organizational or operational changes affecting SAS 70.

Typical Scope

The SAS 70 defines the standards used by a service auditor to assess the internal controls of a service organization. The control objectives and activities vary based on the scope of the SAS 70 and client operations. The relationship between the service organization and the user organizations must be viewed to help determine the controls that should be included in the engagement. In addition, the impact on the user organizations financial statements will also be the determining factor as to whether controls at the service organizations are in the scope of the SAS 70. The following outlines typical categories for control activities that are included in the description of controls for most SAS 70 reviews:

General Computer Controls

• Logical security (security administration / passwords)
• Physical and environmental security
• Network security (firewalls, intrusion prevention)
• Change management
• Data retention and storage
• Disaster recovery / business continuity
• System documentation

Application Controls

There are also application‐specific control activities that will vary based on the client systems that have been implemented. For example, the system application(s) of a third party payroll provider would normally be reviewed to understand the automated controls around transaction processing.

Financial (“Back Office”) Controls

In some instances, the financial controls of the service organization affect the financial reporting of the user organization. The planning stage of the SAS 70 includes discussions with user organizations and analysis of operations to determine the financial controls (if any) that should be in scope for the audit. Along with our testing of these control activities, we will also consider the overall control environment (organizational structure, ‘tone at the top’), how management assesses its risks, information and communication (how information is communicated and transferred throughout the company), and monitoring (how the effectiveness of internal controls is being assessed within the organization).

For more details please contact us

Download this content and in PDF