Archive for the ‘SAS 70’ Category

Newer Entries »

Types of SAS 70 Services

Wednesday, June 10th, 2009

Now that we’ve discussed what a SAS 70 is and who might need it, let’s talk a bit more about the different types of SAS 70s and the time periods a report might cover.

A Type I SAS 70 assesses the design of internal controls at the service organization.  A Type I is a point in time report, meaning it does not provide coverage over a period of time.

A Type II SAS 70 assesses the design, as well as tests the operating effectiveness of the internal controls at the service organization.  A Type II report covers a defined time frame – usually 6, 9, or 12 months.  These generally take more time to complete, because of the testing over the period.  That being said, because there is evidence that controls are in fact working properly, these reports hold more weight and are most often sought after by customers, auditors, and potential future customers.

SAS 70 Readiness assesses a company’s preparedness for a SAS 70 audit by identifying internal control weaknesses prior to the audit being performed.  If a company is entering the first year of completing a SAS 70, these are often performed so that the actual SAS 70 has a clean opinion.  An approach to reduce the costs of a first year SAS 70 audit is to perform a Readiness Review and a Type I audit in the first year.  Then in subsequent years, perform a Type II.

Does your organization provide an “outsourced” service to companies?  
Have your customers requested to see a SAS 70 audit report?

Tags: , , , , , ,
Posted in SAS 70 | 1 Comment »

What is a SAS 70? Who Needs a SAS 70?

Wednesday, June 10th, 2009

A SAS 70 audit report assesses the design and operating effectiveness of a service organization’s controls.  A Type I SAS 70 only assesses the design of controls.  A Type II SAS 70 assesses both the design and operating effectiveness of controls.

Consider the following scenario – Your company provides a service that may materially affect your customer’s financial statements.  Naturally, your customers, your customer’s auditors, and your potential future customers want to make sure their financial information is accurate, complete, and recorded properly.  As such, each of these parties requests to inquire or audit your processes and systems.  What a nightmare, right?

Well, that is where a SAS 70 comes in.  Since the SAS 70 audit report assesses the design and operating effectiveness of a service organization’s controls, the audit report can be provided to customers as evidence of the effectiveness of your controls.  You may not want to provide the report to potential future customers, but letting them know that you received a clean SAS 70 audit report would certainly provide them some comfort regarding your operations.

So what type of organization would need or even want a SAS 70?  Usually the following organizations would consider obtaining a SAS 70: payroll service providers, claims processors, benefits administrators, third party administrators, clearinghouses, transfer agents, trust administrators, data centers, application service providers (ASPs), and outsourced IT departments.

Here is a pretty good link that provides some more details.

Have your customers requested assurance that your processes and systems are controlled?  
Do you feel comfortable that the business processes and IT processes you have in place are controlled to prevent/detect unnecessary mistakes, unauthorized transactions, unauthorized modifications to data, and fraudulent activity?

Tags: , , , , , , ,
Posted in SAS 70 | 4 Comments »

Newer Entries »