The Roadmap to SAS70 Success - Determine the Need
or Sexy as SOX on a Rooster
Not all companies need a SAS70 audit. There are several key reasons one would need a SAS70 audit.
- You are a company that provides outsourced services to public companies. Public companies, as a result of Sarbanes-Oxley, are required to show their service providers have appropriate controls over processes and technology. In this case, you most certainly need a SAS70 audit.
- You are a company that may want to provide outsourced services to public companies. In this case, you are anticipating a need.
- You are a company that wishes to differentiate yourself from other companies providing a similar service. In this case, you are using the SAS70 as part of your business development strategy.
- You are a company that for some reason or another may be audited by many of your customers, public or private. In this case a single SAS70 can eliminate the need for multiple audits, making your audit “life” much easier.
- You are a company that sees a need to improve your internal controls and verify that improvement. This really is more a side benefit to conducting a SAS70 audit.
These are the primary reasons one would need a SAS70 audit. I can’t think of any other good reasons, so if you don’t fall into one or more of the categories above, then you likely shouldn’t put the effort into a SAS70 audit. If you can think of another valid reason, feel free to comment.
In addition, you need to decide the type of SAS70 audit. In reality, the only useful SAS70 audit is a Type II audit. To me, the only reason for a Type I is in preparation for a Type II or as a stop gap measure when you know you may have problems passing a Type II and you want to reduce the scope rather than “fail” a SAS70. The primary difference is a Type I only verifies the controls at a specific point in time, while a Type II verifies that the controls are in place and operational over a significant period of time (min. 6 months).
[More Help]