SAS 70 Audit | Pricing & Scoping Information You Need to Know

In today’s complex and growing regulatory compliance arena, SAS 70 Type I and Type II audits have become commonplace for many organizations that provide critical outsourcing services to companies. Known in the SAS 70 world as a “service organizations”, these companies range from traditional payroll companies, Software as a Service (SaaS) providers, data centers, and third party administrators (TPA), just to name a few.

They’ve all fallen under the mantra of having to be SAS 70 compliant, either because of Sarbanes Oxley (SOX) or some other type of compliance mandate. Often, the first question from these service organizations is how much does a SAS 70 cost. What’s important to note are the two main factors that drive SAS 70 audit pricing: who the CPA firm is conducting the audit and what is the scope of the audit itself.

CPA Firms Who Specialize in SAS 70 Audits

From small regional accounting firms to the nationally recognized big four firms, there are a host of providers available for SAS 70 audits. As with anything in life, most organizations try to find the most value for their money. Small regional firms may be cost-effective, yet they may lack the expertise and name recognition of other firms. Likewise, big four accounting firms will charge you a heavy premium audit fee, yet will “stamp” their name on the report, ultimately giving it a high level of credibility simply based on who they are.

Because SAS 70 Type I and Type II audit prices have a wide range, it’s probably a good idea to pick the healthy middle, that is, a firm who is specialized, nationally known, not too large and bureaucratic, and provides you with a cost-effective, “fixed fee” for the audit. You get highly specialized auditors, a fair fee, and traditionally a quick turnaround in receiving the final report from the CPA firm.

Scoping for the SAS 70 Audit

Many variables come into play for pricing considerations, but scoping is so important. It tells you and the CPA firm what will be tested, where it will be tested, and how long the test period will be, if a SAS 70 Type II audit is being conducted. With that said, listed below are the main points to discuss and consider with any CPA firm you enter into dialogue with regarding a SAS 70 Type I or Type II audit. Use this as a baseline for conversing on the scope of the audit and it will ensure your fees are fair and equitable from the proposal you ultimately receive:

• Discuss if the audit will be only a “general controls’ audit, that is, one that covers the essential, core components of any SAS 70 audit, or will their be specific business processes or activities included in the scope. For example, if you are a data center, will the CPA firm include in the scope all managed services activities you conduct. Another example would be if you are a third party administrator (TPA); would the scope include testing for specific plan administration and billing & eligibility activities, or would it just be a general controls audit. In essence, discuss and come to an agreement on what additional business lines outside the scope of a “general controls” SAS 70 will the audit fee include.
  
  
  
  
  
• Location-Where are you primary facilities located and what testing has is done at these physical locations. You may have more than one location, and if so, the CPA firm needs to know what is being conducted there and if it will be included in the scope.
  
  
  
  
  
• Test Period-If conducting a SAS 70 Type II audit, what will the test period be. Traditionally, test periods range from six (6) to twelve (12) months, but they may be shorter based on pressing circumstances. The longer the audit test period, then generally the more the CPA firm will charge. Thus, agree on what the test period will be that goes along with the particular proposal you receive.
  
  
  
  
  
• Out of Pocket Fees-Travel, lodging, and any other out of pocket, miscellaneous fees can add up, thus it’s important to get a fee that is “fixed”, meaning it includes all of these expenses into the proposal. If not, then expect to pay anywhere from 10% to 20% more than the fee proposal itself because that’s what these costs can typically run in comparison to the underlying audit fee where these items are excluded.
  
  
  
  
  

If you want to learn more about SAS 70 audits you can visit the SAS 70 Resource Guide where SAS 70 sample reports are available to interested readers.