www.sas70.us.com
SAS 70
An Introduction to the SAS 70 Auditing Standard along with important cost
considerations for Type I and Type II SAS 70 audits.
Statement on Auditing Standards Number 70, more commonly known as SAS 70, is an auditing
standard put forth in 1992 by the Auditing Standards Board (ASB) as designated by the
American Institute of Certified Public Accountants (AICPA). For the first ten years, the SAS 70
auditing standard was not widely known, however, this changed immediately with the passage of
the Sarbanes Oxley (SOX) Act of 2002. The relationship between Sarbanes-Oxley and SAS 70
became quite apparent with Section 404 of the SOX act, which states that “management” must
report annually on it’s effectiveness of internal controls. And since a large number of publicly
traded companies outsource many critical services to entities commonly known as “service
organizations”, these very service organizations quickly became an integral component for
purposes of financial reporting. Therefore, a due-diligence process had to be enacted to have on
organization’s internal controls inquired and tested for operating effectiveness; enter the SAS 70
auditing standard.
And let’s not forget today’s heightened business climate, such as competitive marketing
advantages and lengthy compliance requirements on Request for Proposals (RFP), which have
fueled the SAS 70 auditing standard even more.
Types of SAS 70 Audits
There are two types of SAS 70 audits, a Type I and a Type II audit. A SAS 70 Type I audit is
conducted for a point in time, that is, the report is dated for a specific date (i.e., July 13, 2009). A
SAS 70 Type II tests a wide array of internal controls over a stated period of time, generally
anywhere between four to twelve months, with a six month testing period being the agreed upon
standard by most auditors.
And to no surprise, SAS 70 Type II audits are considered more time consuming (audit scope,
preparation, fieldwork, testing of controls, etc.) than a SAS 70 Type I audit, thus, they are more
expensive. Pricing for these highly specialized audits is generally widespread, with large national
accounting firms charging the most, while smaller, regionally located firms charging much lower
fees. The great SAS 70 “land rush” has resulted in many CPA firms now issuing SAS 70 audits,
some with vast experience, while others are just beginning the process of learning what it takes
to issue an audit of this magnitude.
Pricing Considerations
So what does a SAS 70 audit cost? That’s an open ended question where many variables come
into play. Points to consider for pricing are the following:
www.sas70.us.com

www.sas70.us.com
• Are you looking for a general SAS 70 audit or a more specialized audit that delves into
that
certain business processes that your organization undertakes?
• Do you need a Type I or a Type II SAS 70 audit?
• If you need a Type II audit, what is the test period?
• How many physical locations will be included in the SAS 70 audit? That is do you have
is,
offices around the country or facilities that must be part of the audit process?
• Are you willing to pay higher fees for a more nationally recognized firm or are you
comfortable with a smaller, regional firm?
• Are you more comfortable with an hourly bill rate from a CPA firm or would you prefer
hourly
a firm that gives you a “fixed fee” price?
A lot of options as one can see; almost like showing up at a car dealership and trying to find the
make, model, and all the options you want.
My advice to organizations is the following: Find a boutique, nationally recognized firm that can
ions
provide the audit on a “fixed fee”, while still giving you the quality of work you expect.
Author: Charles Denyer, cdenyer@ndbcpa.com
Charles Denyer is a member of NDB, LLP, a nationally recognized CPA firm specializing in
es
SAS 70 audits. NDB, LLP has performed SAS 70 audits for a wide array of organizations,
ranging from small, private start-ups to nationally and internationally recognized entities. NDB
-ups en
provides cost-effective “fixed fees” with a superior audit process. To learn more about NDB,
effective
visit http://www.sas70.us.com, the most in depth site available on learning more about the SAS
, in-depth
70 auditing standard.
www.sas70.us.com