SAS 70 Frequently Asked Questions
What information does SAS 70 contain?
Why is SAS 70 becoming a must-have audit?
What types of companies should have a SAS 70 audit?
What are the benefits of a SAS 70 audit to service organizations?
What are the benefits of a SAS 70 audit to user organizations?
How often should a service organization have a SAS 70 audit performed?
What is the difference between a Type I and a Type II SAS 70 audit?
___________________________________________________________
What is SAS 70?
SAS 70 is shorthand for the American Institute of Certified Public Accountants' Statement on Auditing Standards No. 70, titled "Reports on the Processing of Transactions by Service Organizations," which was issued in 1992. This internationally recognized auditing standard discloses the control processes a company uses to handle its customers' financial records.
What information does SAS 70 contain?
A typical SAS 70 report contains:
- The independent auditor's opinion on the design, implementation and effectiveness of your company's controls over a specific audit period;
- The environment, objectives and controls your company has in place to achieve the necessary level of internal control standards; and
- The specific tests used to determine the level of control, including the results of these tests
Why is SAS 70 becoming a must-have audit?
Although SAS 70 was issued in 1992, demand for this type of audit has increased dramatically since the passing of the Sarbanes-Oxley Act of 2002, which set new requirements for corporate accountability and internal controls.
SAS 70 is now often required by publicly held companies that outsource business related to their financial statements and accounting records. Service providers without SAS 70 audits risk losing business from those customers.
And, SAS 70 provides a compelling point of difference for your firm when you're talking to prospects and clients at privately held companies—they'll have peace of mind knowing that an independent auditor has certified that your internal controls are of the highest standards.
What types of companies should have a SAS 70 audit?
A publicly held customer will likely request a SAS 70 audit when your services involve any of the following:
- Transactions that are significant to the client's financial statements;
- Automated and manual procedures that initiate, record, process and report the client's transactions;
- The collection of accounting records related to the client's transactions;
- The capture of other events and conditions that can affect the client's financial statements; and/or
- Any reporting processes necessary to prepare the client's financial statements.
Some examples of service organizations include:
- Application service providers (ASPs)
- Billing and payroll services
- Claims administration
- Credit and collections
- Data processing centers
- Freight auditors
- Investment advisors
- Market research firms
- Medical billing firms
- Rebate processors
- Third party administrators
What are the benefits of a SAS 70 audit to service organizations?
Service organizations receive significant value from having a SAS 70 audit. Benefits include:
- Generating new revenue opportunities by opening new markets. A SAS 70 audit provides a compelling point of difference for your firm. It could open the door to larger businesses and publicly traded companies that weren't prospects before because they are required to do business with SAS 70-compliant service providers.
- Retaining customers in a rapidly changing environment. Simply put, a service provider without a SAS 70 audit risks losing business from customers who require their providers to have SAS 70 audits.
- Building customers' trust. Armed with a SAS 70 audit, you can prove to customers and prospects that your company is committed to safeguarding their data and assets. They'll have peace of mind knowing the proper internal controls are in place and operating effectively to protect their data and assets.
- Improving your company's internal controls. Because a SAS 70 audit evaluates your control policies, independent auditors can often identify ways to improve your own operations and increase your efficiency. In addition, your company can use the report as a training tool for your staff.
- Helping to expose weaknesses and inefficiencies in your IT environment. A SAS 70 audit incorporates a review of the IT controls that are in place to protect your customers' data and assets.
- Maximizing your company's resources. Having a SAS 70 audit can reduce or eliminate the need to fulfill individual audit requests from customers throughout the year, which can strain your resources.
What are the benefits of a SAS 70 audit to user organizations?
The SAS 70 audit gives the user organization—the company outsourcing its data services—assurance that its service providers have implemented processes and internal controls to safeguard its data.
This is important not only for the user organization's peace of mind, but also because the user organization must be able to show that the processes and controls of its service providers are compliant with Sarbanes-Oxley.
For a user organization, obtaining a SAS 70 audit by an independent auditor is much more efficient than having external auditors (or staff members) perform audits on each individual service provider.
In addition, a SAS 70 audit can save you money on your financial statement audit. If you're audited, the information in a SAS 70 audit can be used to reduce the amount of work your auditors must do to examine your internal controls.
How often should a service organization have a SAS 70 audit performed?
A SAS 70 audit should be performed so that the report date is within six months of the user organization's year-end. Some companies choose to have a SAS 70 audit every six months to ensure that it can be used by its customers.
What is the difference between a Type 1 and a Type II SAS 70 audit?
A Type 1 report covers a specific point in time (e.g., January 1, 2007), while a Type II report covers a specific date range (e.g., January 1, 2007 through March 31, 2007). A Type II report also includes a statement on the operating effectiveness of the company's control activities, which is not part of a Type 1 report.
Why Blackman Kallick?
Blackman Kallick has a dedicated team of professionals including CPAs, certified information systems security professionals (CISSPs) and certified information systems Auditors (CISAs) who perform SAS 70 audits. But we are more than SAS 70 specialists—we are also the ninth largest accounting firm in Chicago (Crain's Chicago Business, November 17, 2008). With more than 45 years of experience, we can be your single source for advice on all financial aspects of your business. As your trusted advisors, we can use our knowledge of your company to perform your financial statement audit as well as your SAS 70 audit, reducing your overall audit costs.
Blackman Kallick has performed audits for clients in the following service industries:
- Credit and collections
- Insurance
- Third party administration
- Trade promotion management
- And more
In addition:
- We specialize in privately held middle market companies.
- Our service and insurance professionals can add value by recommending best practices in the design and implementation of internal controls.
- We perform audits of public companies that incorporate an audit of their internal controls, and as such, are registered with the Public Company Accounting Oversight Board
Learn More
To learn more about Blackman Kallick's SAS 70 Audit Services, please contact:
- Matt Dopp, Partner, mdopp@BlackmanKallick.com, 312-980-2958
- Tim Bowling, Partner, tbowling@BlackmanKallick.com,
312-980-2927
Follow @BlackmanKallick on Twitter
Follow Blackman Kallick on LinkedIn