When companies receive a request for a SAS 70 audit, their first question is often, “What is this, and why am I being asked for it?”
A SAS 70 audit (statement of auditing standards No. 70) is one function of auditing that assesses the internal controls of a service organization. When a service organization has access to important information, such as employee banking information, Social Security numbers, etc., it needs to be determined that the manner in which this information is stored and shared is safe and secure.
“Imagine you are a big company and another company handles your payroll,” says Robert B. Brenis, CGEIT, CISA, MCP, PMP, a principal with Skoda Minotti Technology Services. “The payroll company has your employee names, Social Security numbers and access to your money, so it would need a SAS 70 because they are a service provider for your organization. A SAS 70 audit will ensure that the information shared is secure.”
Smart Business learned more from Brenis about SAS 70 audits.
How does a SAS 70 audit benefit a service company?
Being compliant opens doors for more work. A lot of companies are getting inquiries from prospective clients asking, ‘Are you SAS 70 compliant?’ If they say no, that’s the end of the conversation. It’s a great marketing tool for a lot of organizations, and it helps you identify areas where you have weak controls.
What differentiates SAS 70 from other audits?
A financial audit is the same procedure over and over again, it stays the same, every time. A SAS 70 is not a financial audit, so there is no boilerplate procedure; each audit is different.
If you have access to client data, such as employee or customer information, or financial transaction information, or if you are controlling any of your customers’ information, odds are you are going to need a SAS 70.
An example would be any company that houses other companies’ servers. They need a SAS 70 because they are controlling the backbone of your company.
Because they are different every time, does that make SAS 70 audits more difficult to prepare for than regular financial audits?
No, that’s one area in which your accounting firm can help you. They sit down with clients and prospective clients and help them figure out what it is that they need to be concerned about. They then help them identify what controls need to be tested.
