SAS 70 Audits and Compliance | Learn About Type I and
Type II Costs and Scoping for SAS 70
SAS 70 Audits have quickly become a mainstay in today’s growing regulatory environment. Governance,
compliance, and security are here to stay, thus it’s imperative that your organization understand the
dynamics of SAS 70 audits, including two critical areas: audit scope and pricing.
As for what you need to know about SAS 70 audit and compliance; first and foremost, the auditing
standard was put forth in 1992 as an audit that examines the internal control framework of your
organization and the supporting control objectives as part of the comprehensive audit process.
SAS 70 Type I audits are conducted for a snapshot in time, while SAS 70 Type II audits are measured over
a stated and agreed upon time frame, such as a six (6) month testing period. Type II audits are quickly
becoming the norm, as they meet the rigorous demands set forth for compliance. That’s not to say SAS
70 Type I audits are irrelevant. Quite to the contrary as Type I audits help lay the groundwork in
preparing your organization to undergo a SAS 70 Type II audit.
Listed below is the traditional sequence of the major events and activities for embarking on SAS 70
compliance for service organizations.
1. SAS 70 Readiness Assessment: This helps lay the foundation for the audit.
2. SAS 70 Remediation: If any deficiencies or weaknesses within your control environment are
identified during the Readiness Assessment, then the Remediation phase will correct these
issues.
3. SAS 70 Type I Audit
4. SAS 70 Type II Audit
Again, this is a traditional roadmap, which can be shortened if you decide to move right ahead with a
SAS 70 Type II audit.
Now, what about pricing and audit scope? Well, these are the issues you need to clarify with the CPA
firm conducting the audit and with your internal organization before moving forward on any type of SAS
70 compliance:
1. What is going to be covered in the audit? Is it a general controls SAS 70 or are their specific
business processes you want covered? Note: This will help identify the pricing for the audit.
2. How many physical locations are included in the scope of the SAS 70 audit?
3. Do you use third party outsourcing entities or vendors (i.e. data centers, processing facilities,
etc.) that may be included in the scope of the audit? If so, do they have their own SAS 70 or will
your auditors have to visit their facilities to conduct testing?
4. Do you want a “fixed fee” for the audit or do you want to be billed hourly for the audit fees from
the CPA firm? Note: A “fixed fee” covers ALL audit costs, including travel, miscellaneous, and
any other out of pocket expenses incurred by the auditors.

5. How is testing done, that is, how is sampling conducted for the testing of various control
objectives?
6. What auditing frameworks, standards, benchmarks, and guidelines will be used for the audit?
There are additional pricing and scoping points to discuss, but these are essentially some of the most
important components to initially cover.
To learn more about the SAS 70 auditing standard, visit http://www.sas70.us.com, the official SAS 70
Resource guide, or email SAS 70 auditing expert Charles Denyer at cdenyer@ndbcpa.com
You can also obtain a sample SAS 70 Type II Report in pdf format.
NDB, LLP is a nationally recognized boutique CPA firm specializing in SAS 70 audits, Payment Card
Industry Data Security Standards (PCI DSS) assessments, and other regulatory compliance initiatives.