more-arw search

Q&A Forum

SAS 70 for my company: is it worth it?

sas 70My company provides some services to our customers which they rely on to get their work done as a company. We recently had a customer ask us whether we had a SAS 70 audit and could they see it. In short, we do not and this is the first request we have received. I would like to hear what others have experienced with SAS 70 reports. They appear to be just a third party confirmation (or audit) that you do what you say you do (or, more accurately, what you write as your processes and procedures). Is that accurate? Is there a "standard" for how to provide services that is part of the audit, or is it only an audit of what your company does in particular?

Further, what does a SAS 70 audit cost? Who does them? Is there a "certification"? I see "SAS 70 Certified" on some websites but I can't seem to find a certifying body out there. What is the difference between Type I and Type II audits? Finally, have SAS 70's been a good selling tool with ROI for your company? I know, "the customer is always right". That means we'll probably end up doing this, but I would like to know more of the ins and outs before we just jump in and do it. Thank you.

Answers

Scott Lane
Title: CFO and CRO
Company: TPG Credit Management
(CFO and CRO, TPG Credit Management) |

SAS 70 is basically an audit of your controls, very much like SOX 404 but not quite as bad. Believe there are two types: type I is where they assess your control design, type II is where they also assess whether controls are operating as designed.

Auditors of your clients love this as it is additional CYA for them. In theory and auditor can reduce testing if a client has a service provider that has a SAS 70. However, I have never seen auditors actually lower fees because of it.

It is very time consuming and expensive. I would not go through it if not necessary. If only one client is asking for it, I would wait to see whether there is more demand.

Lastly, I know organizations with a type II SAS 70 and their controls are not very good so, how valuable is it in reality (understanding of course perception is that it is valuable).

Lyle Newkirk
Title: CFO
Company: Corrigo Incorporated
(CFO, Corrigo Incorporated) |

There are two types - Type 1 and Type 2. Type 1 is not hard and can be done in a month or less for $10K-$15K. Type 2 requires testing over a 6 month period and can cost much more. Once you get Type 2, maintaining the certification is not that hard to do. Think of who you will be selling to. A lot of larger public companies may require Type 2. If so, and you have done nothing, you are at least 6 months behind and possibly much more.

I agree with the comment that you can still have internal control issues with SAS 70 Type 2 certification. However, in some sales situations, having it or not having it can make or break a deal as the buyer may use it as a qualifier.

Shop around for the service. Lots of regional firms will do the work for a lot less than the larger firms.

Scott Lane
Title: CFO and CRO
Company: TPG Credit Management
(CFO and CRO, TPG Credit Management) |

Agree with the point on perception issues and that it can help land business, regardless of the true value added.

I would say though that, depending on the size of your customers, you should go with a mid to large size firm. Need some brand recognition for your auditors on this.

I had a service provider who used a firm we had never heard of and as a result we did not place much value on the SAS 70. Not saying that is fair, just how it works.

Jennifer Eversole
Title: Partner & Knowledge Enthusiast
Company: Management Stack, LLC
LinkedIn Profile
(Partner & Knowledge Enthusiast, Management Stack, LLC) |

SAS 70 audits are becoming more important in a service organization, especially if you have customers who are public. If you are going to start the process, I would recommend ensuring that all of your policies/procedures/controls are documented before beginning the audit. Then start with a Type I audit. The Type I is significantly less expensive and time consuming. Use those results to improve your controls and then go with the Type II. In addition to satisfying customer needs, I think that it is a valuable exercise to ensure that controls are valid and are being followed.

Jane Levin
Title: Corporate Controller
Company: Private
(Corporate Controller, Private) |

Thanks for the great info so far. Now, sorry to ask for details, but how long and how costly for a small company (~50emps)? Is it bid hourly or as a project? Are there any "name brand" firms offering these or should i just look for a local provider? Much appreciated!

Jennifer Eversole
Title: Partner & Knowledge Enthusiast
Company: Management Stack, LLC
LinkedIn Profile
(Partner & Knowledge Enthusiast, Management Stack, LLC) |

A Type II SAS 70 tests controls over a minimum of a 6 month period. Then the report will take a month or two to compile. In my experience, the cost for a company of your size would be $40K - $60K, depending on the number of controls being tested. I would check around for regional firms in your area. I have not had much experience with a Type I audit, but I would guess that it would cost $10K - $20K and take a month or two to complete.

Scott Lane
Title: CFO and CRO
Company: TPG Credit Management
(CFO and CRO, TPG Credit Management) |

I agree with Jennifer's cost estimate. Would be bid like and audit for the overall job, should not be by the hour.

James Finn
Title: Consultant: Finance, Internal Control, ..
Company: Finn Consulting
( Consultant: Finance, Internal Control, IT Systems, and Compliance, Finn Consulting ) |

Basically, from a compliance point of view, your customers may require a SAS-70 from you when you are an integrated part of their financial reporting internal control (ICFR) environment (usually an IT or transaction risk occurs under your control). Sometimes the customer is just throwing a dead cat over the wall and trying to say that your operation performs internal controls that mitigate their process risk and therefore - they are compliant, and your SAS-70 evidences that.

If your operation cannot cause a material misstatement in their financials then you should not have an ICFR responsibility to them to evidence control performance.The touchy area is when you are part of their SDLC or IT change management process, or if you can change financial transactions (add, change, or delete).

If not, call the customer and get a better definition and explanation of why they need this testing and documentation. They may just be looking for an over-kill on the process ICFR documentation.

Keith Taylor
Title: CFO
Company: Lyris, Inc.
(CFO, Lyris, Inc.) |

Jane, first, SAS70 controls audits are dependent on the services you provide, and thus the audit costs can vary widely. (By the way SAS70 is changing to SSAE 16). For example, in a prior company I led as CFO, we provided SaaS-based invoice, credit and collections services for several large public companies - these clients required we provide a SAS70 audit Type II report, which due to the financial exposure and complexity of services was a costly endeavor (6 figures.)

In contrast, one of our portfolio companies in our Private Equity group, is a managed hosting services company - several public company clients require they complete a SAS70 audit and issue a Type II report at least annually, as these clients have material software applications running in our data center. Given the limited scope the audit costs are nominal (much, much less than the lowest quotes by others here.)

Besides cost, I also believe that any company providing mission critical services to their clients will benefit from committing to a SAS70 audit as it helps improve the controls and assurances. In addition, I have seen insurance discounts offered for E&O and D&O insurance based upon the lower perceived risks. Completing a SAS70 readiness assessment is also a great way to determine if you're really protecting your client's interests, or aspiring to providing quality, reliable, secure services.

I suggest you shop the audit - check out Schramm & Company, a small firm but effective.

Keith

Achaessa James
Title: Product Manager
Company: National Center for Employee Ownership
(Product Manager, National Center for Employee Ownership) |

Hi, Jane. Here are a couple of good websites with foundational materials http: // www. ssae-16. com/ and http: // en.wikipedia.org /wiki /SAS70

Keith is right - it really depends upon the service you provide. In some circumstances, you may be able to rely upon your software vendors' SAS 70 certification or other audit certification. For example, an outsource accounting firm I used to work for ensured that our underlying software vendors for accounting and equity compensation administration were SAS 70 Type II certified and when asked by our accounting customers would provide them with the vendors' certifications. That, along with a statement that we were in the process of obtaining our certification was always acceptable to the auditors. Of course, our customers were non-public companies and micro-cap public companies and this response may not have been accepted by auditors for large public companies.

Frank Peavy
Title: Management Consultant
Company: IT/IS and regulatory consulting
(Management Consultant, IT/IS and regulatory consulting) |

Jane,
Having performed both SAS70 and SOX audits, I thought I would try to address some your questions as succinctly as possible:

>They appear to be just a third party confirmation (or audit) that you do what >you say you do (or, more accurately, what you write as your processes and >procedures). Is that accurate?
Yes, typically issued by a CPA or CPA firm

>Is there a "standard" for how to provide services that is part of the audit, >or is it only an audit of what your company does in particular?
It is a test of your controls, not unlike SOX but may cover areas not covered by SOX. The testing methods may be different and the controls may be different. One is not necessarily easier than the other.

>what does a SAS 70 audit cost? Who does them? Is there a "certification"?
Unfortunately, the cost is something you negotiate with your CPA firm. The only "certification" you get is the final report from your CPA firm. I think to see a "certification" on a website is a bit mis-leading.

>What is the difference between Type I and Type II audits?
Without going to a lot of detail, for a SAS70 to be of any value to a client it MUST be a Type II. Type II is more detailed, Type I is to general

>have SAS 70's been a good selling tool with ROI for your company?
Good question. Unfortunately, it becomes a matter of you company's strategy. If you want to grow and expand your services to publicly traded companies, you would have better luck with a Type II SAS 70 in place. As a potential client (publicly, traded), when evaluating your services if they don't see a Type II SAS70, they may conclude that you're too much of a "small fry" i.e. don't service other large companies. I guess it becomes a "catch-22". You need it to get large clients, but having it doesn't mean they will come knocking on your door.

Hope this helps.

Ernie Humphrey CTP
Title: CEO & COO
Company: Treasury Careers
LinkedIn Profile
(CEO & COO, Treasury Careers) |

It should be noted here that SAS70 Type II certifications are going away and being replaced by SSAE16 (SOC 1,2, and 3). There is a presentation on this transition posted as a resource on Proformative. https://www.proformative.com/og/resource/general-content/sas-70-making-transition-ssae-16

11621 views
Topics

Get Free Membership

By signing up, you will receive emails from Proformative regarding Proformative programs, events, community news and activity. You can withdraw your consent at any time. Contact Us.

Business Exchange

Browse the Business Exchange to find information, resources and peer reviews to help you select the right solution for your business.

Learn more

Contribute to Community

If you’re interested in learning more about contributing to your Proformative community, we have many ways for you to get involved. Please email content@proformative.com to learn more about becoming a speaker or contributing to the blogs/Q&A Forum.