Charles Denyer has in-dpeth expertise in the following areas: SAS 70 audits (sas70.us.com), Payment Card Industry Compliance (pciassessment.org) and Regulation AB Item 1122/1123 compliance, Sarbanes-Oxley compliance. Additionally, keen understanding and sound interpretation of all compliance rulings/regulations and associated standards/frameworks/methodologies used for auditing and risk assurance compliance: GLBA, Sarbanes-Oxley, HIPAA, FISMA, FFIEC, COBIT, COSO, ISO 27001. Payment Card Industry Compliance, Securities Compliance (Regulation AB-1122/1123). Additionally, advanced search engine optimization (SEO) and online viral marketing expert.
Statement on Auditing Standards No. 70 (SAS 70), was put forth in 1992 by the American Institute of Certified Public Accountants and has recently gained great prominence within the last five years. Particularly, this is due in large part to the substantial growth of federal compliance legislation, particularly Sarbanes-Oxley (SOX), along with other important provisions, such as the Gramm Leach Bliley Act (GLBA) and HIPAA. Moreover, a number of state legislative rulings advocating a wide range of privacy and security initiatives have also impacted the growth of SAS 70 examinations.
So what do you need to take from this? The growing drumbeat of regulatory compliance is here to stay and will without question continue to grow in the coming years. Additionally, SAS 70 Type I and Type II audits have become a mainstay in today's compliance arena, thus, they're here to stay.
Are you a service organization providing services to another entity? If so, then it's safe to assume in the technical jargon of SAS 70 audits, you would be identified as a "service organization". A service organization is a company that traditionally provides material outsourcing services to "user organizations". Some common examples of a "service organization" for purposes of SAS 70 would be a payroll provider, TPA, or a data center providing managed services, just to give you a few examples. What they all have in common is their unique ability in providing services to another organization, which is often referred to as the "user organization".
Thus, if your organization is being required to be SAS 70 Type I or Type II compliant, you will need to find out the specifics, that is, the how's and why's of SAS 70 compliance.
Finding your SAS 70 Provider
Once you obtain a true understanding of these above parameters, begin to look for a CPA firm that can conduct the Type I or Type II audit. Please be advised that you get what you pay for, so going for an aggressive, low cost provider may end up giving you a report of poor quality, ultimately doing more harm than any good. Remember this one important point. Because the intended users of these reports who rely on them are traditionally highly versed at examining these reports, they need to be of high quality. Thus, obtain proposals from firms that are not too small, but not too large. In essence, a national boutique firm specializing in SAS 70 Type I and Type II audits would be a great choice. Why? Their fees would be reasonable; they would conduct the audit in an efficient manner and prepare the final report in an acceptable timeframe.
Do your Due-Diligence for SAS 70 Audits
Before you sign a contract with a CPA firm, be sure to obtain at least three (3) proposals, and be very certain you converse on the following points with every firm that you are receiving a fee quote from:
- Regarding scope, is the audit going to be a general controls audit or is it going to include an examination of specific business processes? Please be advised; this is critically important as it can significantly change the fee of the audit. Many CPA firms will give you a proposal, but it may be for a straightforward, general controls only, so make sure this is discussed early on.
- In regards to pricing, is the fee a fixed fee that is, are all out of pocket and travel related expenses include in the audit fee? If not, make this a requirement. Why? Because fees that are agreed to that do not include a fixed fee provision will end up costing an additional 15% to 25% over the proposed fee. Keep this in mind; auditors need to travel, sleep in hotels and feed themselves- this can get very expensive.
- And how about the test period? If looking for a proposal for a SAS 70 Type II audit, you will need to identify and agree on the test period. SAS 70 Type II audit test periods traditionally range from six (6) to twelve (12) months; however, extenuating circumstance can result in a shorter test period. The test period is critical for identifying because it also drives prices, to a marginal degree. Think a proposal from a CPA firm for a 6 month SAS 70 Type II audit will be the same fee as a twelve month audit? Absolutely not. Again, identify the time period for testing before you receive the proposals from any firm.
- Also, inquire about SAS 70 Readiness Questionnaire forms and templates. Will your audit proposal include a fee for undergoing a comprehensive sas 70 readiness questionnaire assessment? If not, you will need to discuss this important point. For any company going through a SAS 70 Type I or Type II audit for the very first time, then a readiness is a must for ensuring a successful audit.
SAS 70 Readiness Questionnaire Forms & Templates
So, you are on your way to SAS 70 Type I or Type II compliance! Congratulations. The first step that needs to be undertaken is to complete a series of SAS 70 Readiness questionnaire forms and templates. These questionnaires will really help guide and drive the audit process for you. They are considered invaluable tools for audit preparation, and any reputable SAS 70 CPA firm will be able to provide them for you. Some firms charge a fee for conducting a SAS 70 readiness questionnaire session, while others may provide the templates for free of charge, leaving the service organization to conduct their own SAS 70 readiness. The choice is yours. Another benefit of the SAS 70 readiness is that it helps your organization identify gaps or deficiencies within your control environment that require remediation or correction before the audit begins. There's no sense in rushing into a SAS 70 Type I or Type II audit without properly preparing for it. That's exactly what the readiness assessment does. So, what should the SAS 70 readiness questionnaire forms and templates cover? Well, they should and need to cover all aspects of a general controls SAS 70 audit along with any specific provisions for business processes or business drivers that will be included in the scope of the audit.
- Related Articles
- Related Q&A
- Avoid Identity Theft with HIPAA Compliant Secure Document Shredding
- Learn About SAS 70 Audit Scope, Pricing and SAS 70 Readiness Assessments from the SAS 70 Resource Guide
- Hospitals nationwide seek out GoKeyless to meet new security demands and HIPAA requirements
- The Prices For Medical Billing Software
- The Benefits of Automatic Files Backup and Secure Offsite Data Files Storage
- Factors Which Attract Healthcare Providers to Medical Transcription Companies
- Austin, Texas Medical Transcription Services
- Boston Medical Transcription Services
Wowgreen International aquiring Green Bridge Industries
By: Amy Brett | 23/12/2009Wowgreen International has a signing binding letter of intent to purchase Green Bridge Industries. This is great news for wowgreen International and all there independent distributors.
NGO Registration in India: NGO Registration Procedure in India
By: chaman | 22/12/2009In India non profit / public charitable organizations can be registered as trusts, societies, or a private limited non profit company, under section-25 companies. Non-profit organizations in India (a) exist separately of the state; (b) are self-governed by a board of trustees or 'managing committee'/ governing council, comprising individuals who generally serve in a fiduciary capacity.
THE COMPLIANCE MINEFIELD
By: Deron Andre | 21/12/2009http://www.brabazonlawoffice.com Contact our Green Bay Attorneys at Brabazon Law Office when you want results in your legal case. Voted best in Green Bay. 920-494-1106
Restructuring Magna Entertainment for a Strong Future
By: Keith Mazikowski | 20/12/2009A business prescription for Magna Entertainment. The currently is in Chapter 11 bankruptcy and will have to retain its core properties, Gulfstream Park and Santa Anita Park, to have a prosperous future.
Wowgreen commercial cleaners for your business. All are 100% non toxic
By: Amy Brett | 19/12/2009Wowgreen commercial cleaners are unbelievable and will also save you money.
Advantage of using Hong Kong Company to apply for WFOE in China
By: Tom Lee | 18/12/2009Hong Kong's corporate law is strongly based on the British Legal System, the setting up of a Hong Kong is a str. Local businesses are regulated and Hong Kong regards itself as a low tax centre rather than a tax haven. Taxes are levied on profits which is 16.5% since Financial Year 2008/2009. Under special circumstances, a Hong Kong company may even declare business transactions as offshore which are subject o 0% tax in Hong Kong.
Set Up China Wholly Foreign-Owned Enterprise (WFOE) in ShenZhen
By: Tom Lee | 18/12/2009The Wholly Foreign-Owned Enterprise (WFOE) is one possible business structure that can be used by foreign investors to register and license a business in China. The WFOE is a limited liability company (liability is limited to the amount of the registered capital) that is 100% owned by foreign investors.
China Joint Venture Company Formation In ShenZhen
By: Tom Lee | 18/12/2009Joint ventures with Chinese companies offer one of the most effective ways for western companies to tap the massive China market. In a sino-foreign joint venture, the Chinese company usually brings the labour, land use rights and factory buildings, while the foreign company delivers the necessary technology and key equipment, as well as the capita
Why a SAS 70 Readiness Assessment is Essential for SAS 70 Compliance
By: Charles Denyer | 09/05/2009 | BusinessA SAS 70 Readiness Assessment is an essential component of the overall auditing process. It helps lay the groundwork for many important provisions and activities within the audit itself.
Benefits of SAS 70 Type I and Type II Audits
By: Charles Denyer | 09/05/2009 | BusinessSAS 70 audits have been around since 1992, but recent legislation has pushed the SAS 70 auditing standard into the spotlight. Namely, the Sarbanes Oxley Act of 2002 (SOX). When congress passed the SOX act, management of publicly traded companies were required to report on their company’s financials, and report on their internal controls in regards to financial reporting. Therefore, the SAS 70 quickly became the audit of choice for both user and service organizations, or rather, the go to audit.
Title: SAS 70 Type I and Type II Audits & PCI DSS Compliance Assessments
By: Charles Denyer | 09/05/2009 | BusinessSAS70 audits & PCI DSS assessments are being quite common in today's heightened era of regulatory compliance and corporate governance. What's more, many perceive this as just the beginning of a long line of compliance mandates that have and will truly shape the way many aspects of business & commerce are conducted in this country.
SAS 70 | A Guide to Type I & Type II Audits
By: Charles Denyer | 24/03/2009 | OutsourcingLooking for information SAS 70 Type I and Type II Audits? Then read up on essential, in-depth facts about Statement on Auditing Standards No. 70 and how you can prepare your organization for this audit.
SAS 70 Audit | An I.T. Auditor’s Expert View on Pricing for Type I and Type II Reports
By: Charles Denyer | 22/03/2009 | OutsourcingSAS 70 Audits have become an expensive and time consuming proposition for many businesses today. Learn important information regarding pricing for SAS 70 audits for helping ensure you receive a fair, equitable fee for the audit.
Learn About SAS 70 Audit Scope, Pricing and SAS 70 Readiness Assessments from the SAS 70 Resource Guide
By: Charles Denyer | 22/03/2009 | CorporateSAS 70 audits are becoming a mandatory requirement for many businesses in today's growing regulatory compliance arena. Get the essential facts and other important information regarding SAS 70 audits
SAS 70 Audit | Pricing & Scoping Information You Need to Know
By: Charles Denyer | 28/06/2008 | CorporateSAS 70 Audits have become commonplace in today's regulatory compliance and corporate governance arena. As such, its important to learn about audit pricing and scoping considerations for SAS 70 Type I and SAS 70 Type II audits. Discussed in this white paper are important points you need to know about SAS 70 audits.