SAS 70 – known as the Statement on Auditing Standards No. 70 was developed by the American Institute of Certified Public Accountants.  SAS 70 defines and outlines the standards an auditor must use in order to assess the contracted internal controls of a service organization. By definition service organizations under SAS 70 would be hosted data centers, insurance claims processors and credit processing companies etc; any organizations that provides outsourcing services that affect the operation of the contracting enterprises or organization.

SAS 70 Type I and Type II.

In a Type I report, the auditor evaluates the efforts of a service organization at the time of audit for prevention of accounting inconsistencies, errors and misrepresentation as well as the likelihood those effort will produce the desired future results.

In a Type II report, the same information is included as shown in a Type I report. However in a Type II report the auditor works to determine the effectiveness of agreed to controls since they were originally implemented. Type II reports also reviews data compiled during a specific time period – usually six months and operational areas that may need improvement as part of the overall report.

Generally SAS 70 reports are commissioned by the service organization or the user organization. Having a consistent and independent service auditor’s report builds customer confidence and trust. However a lack of current reports may generate multiple audits and can be very costly.

Loricca’s SAS 70 Readiness Assessment

Loricca’s SAS 70 Readiness Assessments is designed to assist service organizations in assessing their preparedness for a SAS 70 audit. Unlike a SAS 70 audit which has the objective of reporting on existing controls, our Readiness Assessment services are designed to identify those controls that should be implemented or improved prior to an actual audit.

Loricca’s Readiness Assessment services provide our clients the following benefits:

• Introduced to SAS 70 Solutions’ methodology and operating procedures.

• Future audit time commitments that may be necessary from personnel are discussed/agreed to.

• Reporting (confidential internal use only) is provided that creates the basis for improving the overall control environment.

• Control descriptions are drafted and ready to be used for the subsequent SAS 70 audit.

• Strengths and weaknesses in the current control structure are documented (see reporting above) and communicated; includes detailed recommendations for improvements allowing for sufficient time to remediate any gaps in the control structure.

• Immediate questions and answer session with our SAS 70 professionals to discuss the impact potential changes to services or controls may have on the upcoming SAS 70 audit.

Who Should Consider a SAS 70 Readiness Assessment? A service organization that answers yes to any of the following:

• desires to address its current readiness for an actual SAS 70 audit in a cost effective yet professional manner

• who has not recently or ever undergone a financial or regulatory audit that included IT controls as part of the audit

• that prefers an internal-use-only report for the purposes of identifying any current controls issues prior to the actual SAS 70 audit

• who intends to perform a Type 2 SAS 70 audit as its initial audit but wants to understand its internal issues prior to the audit

Contact us today to discuss SAS 70 audits and how our professional auditors can take a make your Type I and/or Type II audits as stress free as possible with being prepared and completed by auditing professionals. ~ 813-600-3005