Packer Thomas Certified Public Accountants & Business Consultants • Services: Information Technology Services Accounting Software

old computer

IT Links

Accounting Software

Sage Accpac

QuickBooks® Enterprise Edition

Customer Relationship Managmement Software

Sage CRM

SAS 70 Audits

SAS 70 Audits

Info Security Consulting

Risk Audit & Risk Assessment

Compliance Audits

Web Assessments

Web & Web Application Security

Security Solutions

Computer & Network Forensics

Downtime Cost Calculator

General

IT Experts

IT Newsletter

Services: Information Technology Services

SAS 70 Audit

Network Audit, Network Security, Security Testing, and Security Consulting
Packer Thomas' security assessments and audits help organizations enhance data security and privacy, safeguard information, comply with regulatory concerns, and reduce legal liability. Packer Thomas' network and security audit is ideal for:

Organizations with large clients and customers that require an external audit
Ensuring system reliability, performance, and integrity
Emerging and fast growing firms
IPO ready organizations
Organizations concerned about security
Businesses with distributed offices
Organizations in the financial and health care industries
Organizations that share and collect personal and/or proprietary data

50 Point Work Plan
Packer Thomas' network and security audits and assessments are customized to your specific needs and review and analyze 50+ different subject areas including:

IT systems - hardware, software, and external services
People - internal and external IT resources
Processes - policies, procedures, and guidelines

Our analysis includes a review of your network and server equipment, scalability, performance, connectivity, backups, electronic communications such as e mail and instant messaging, software licensing, software patch management, portable computing devices, and many other areas.

Our services include a review of your packaged and custom software change management processes. We also review your employee handbook, policies on the use of information systems, and related documentation. In addition to the IT infrastructure, our Work Plan includes interviews with IT, management, and key users to determine if there is an alignment or satisfaction issue with the IT department.

SAS 70 FAQ's:

What is a SAS 70?
What information does a SAS 70 contain?
Why do I need an SAS 70 Audit?
Why is a SAS 70 becoming a must-have audit?
What types of companies should have a SAS 70 audit?
What are the benefits of a SAS 70 audit to service organizations?
What are the benefits of a SAS 70 audit to user organizations?
How often should a service organization have a SAS 70 audit performed?
What is the difference between a Type I and a Type II SAS 70 audit?

What is a SAS 70?
SAS 70 is shorthand for the American Institute of Certified Public Accountants' Statement on Auditing Standards No. 70, titled "Reports on the Processing of Transactions by Service Organizations," which was issued in 1992. This internationally recognized auditing standard discloses the control processes a company uses to handle its customers' financial records.

What information does a SAS 70 contain?
A typical SAS 70 report contains:

The independent auditor's opinion on the design, implementation and effectiveness of your company's controls over a specific audit period;
The environment, objectives and controls your company has in place to achieve the necessary level of internal control standards; and
The specific tests used to determine the level of control, including the results of these tests

Why do I need an SAS 70 Audit?
Statement on Auditing Standards (SAS) No. 70, Service Organizations, is a widely recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA). A service auditor's examination performed in accordance with SAS No. 70 ("SAS 70 Audit") is widely recognized, because it represents that a service organization has been through an in-depth audit of their control objectives and control activities, which often include controls over information technology and related processes. In today's global economy, service organizations or service providers must demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers. In addition, the requirements of Section 404 of the Sarbanes-Oxley Act of 2002 make SAS 70 audit reports even more important to the process of reporting on the effectiveness of internal control over financial reporting.

A SAS 70 audit offers many potential benefits to service organizations. Here are some examples of possible benefits of having a SAS 70 audit:

SAS No. 70 is the authoritative guidance that allows service organizations to disclose their control activities and processes to their customers and their customers' auditors in a uniform reporting format.
The issuance of a service auditor's report prepared in accordance with SAS No. 70 signifies that a service organization has had its control objectives and control activities examined by an independent accounting and auditing firm.
User organizations that obtain a Service Auditor's Report from their service organization(s) receive valuable information regarding the service organization's controls and the effectiveness of those controls.
The user organization receives a detailed description of the service organization's controls and an independent assessment of whether the controls were placed in operation, suitably designed, and operating effectively.

Firmly grounded in the AICPA Statement on Auditing Standards (SAS) No. 70, our Service Auditor’s Report is one of the best ways for a service organization to differentiate itself from its competitors and clearly express a commitment to internal controls.

One of the key benefits of our report is it provides a single source of information in a standardized format that can be relied on when evaluating a service organization's controls. A SAS 70 report can also be used as a marketing tool, demonstrating to potential customers that your management has been proactive in obtaining the opinion of a reputable third party as to the soundness of your organization's controls.

» top

Why is SAS 70 becoming a must-have audit?
Although SAS 70 was issued in 1992, demand for this type of audit has increased dramatically since the passing of the Sarbanes-Oxley Act of 2002, which set new requirements for corporate accountability and internal controls.

SAS 70 is now often required by publicly held companies that outsource business related to their financial statements and accounting records. Service providers without SAS 70 audits risk losing business from those customers.

And, a SAS 70 provides a compelling point of difference for your firm when you're talking to prospects and clients at privately held companies—they'll have peace of mind knowing that an independent auditor has certified that your internal controls are of the highest standards.

» top

What types of companies should have a SAS 70 audit?
A publicly held customer will likely request a SAS 70 audit when your services involve any of the following:

Transactions that are significant to the client's financial statements;
Automated and manual procedures that initiate, record, process and report the client's transactions;
The collection of accounting records related to the client's transactions;
The capture of other events and conditions that can affect the client's financial statements; and/or
Any reporting processes necessary to prepare the client's financial statements.

Some examples of service organizations include:

Application service providers (ASPs)
Billing and payroll services
Claims administration
Credit and collections
Data processing centers
Freight auditors
Investment advisors
Market research firms
Medical billing firms
Rebate processors
Third party administrators

» top

What are the benefits of a SAS 70 audit to service organizations?

Service organizations receive significant value from having a SAS 70 audit. Benefits include:

Generating new revenue opportunities by opening new markets. A SAS 70 audit provides a compelling point of difference for your firm. It could open the door to larger businesses and publicly traded companies that weren't prospects before because they are required to do business with SAS 70-compliant service providers.
Retaining customers in a rapidly changing environment. Simply put, a service provider without a SAS 70 audit risks losing business from customers who require their providers to have SAS 70 audits.
Building customers' trust. Armed with a SAS 70 audit, you can prove to customers and prospects that your company is committed to safeguarding their data and assets. They'll have peace of mind knowing the proper internal controls are in place and operating effectively to protect their data and assets.
Improving your company's internal controls. Because a SAS 70 audit evaluates your control policies, independent auditors can often identify ways to improve your own operations and increase your efficiency. In addition, your company can use the report as a training tool for your staff.
Helping to expose weaknesses and inefficiencies in your IT environment. A SAS 70 audit incorporates a review of the IT controls that are in place to protect your customers' data and assets.
Maximizing your company's resources. Having a SAS 70 audit can reduce or eliminate the need to fulfill individual audit requests from customers throughout the year, which can strain your resources.

What are the benefits of a SAS 70 audit to user organizations?
The SAS 70 audit gives the user organization—the company outsourcing its data services—assurance that its service providers have implemented processes and internal controls to safeguard its data.

This is important not only for the user organization's peace of mind, but also because the user organization must be able to show that the processes and controls of its service providers are compliant with Sarbanes-Oxley.

For a user organization, obtaining a SAS 70 audit by an independent auditor is much more efficient than having external auditors (or staff members) perform audits on each individual service provider.

In addition, a SAS 70 audit can save you money on your financial statement audit. If you're audited, the information in a SAS 70 audit can be used to reduce the amount of work your auditors must do to examine your internal controls.

» top

How often should a service organization have a SAS 70 audit performed?
A SAS 70 audit should be performed so that the report date is within six months of the user organization's year-end. Some companies choose to have a SAS 70 audit every six months to ensure that it can be used by its customers.

What is the difference between a Type I and a Type II SAS 70 audit?
A Type I report covers a specific point in time (e.g., January 1, 2007), while a Type II report covers a specific date range (e.g., January 1, 2007 through March 31, 2007). A Type II report also includes a statement on the operating effectiveness of the company's control activities, which is not part of a Type I report.

» top

Please contact Jeff Sheets for more information: jsheets@packerthomas.com