Pre-Assessment

• Scope - Determine the significance of your business’ controls to the user organization’s internal control and assertions embodied by the user organization to identify the business processes that will be covered in the SAS 70 audit.
• Project Planning - Develop timeline for the scope of work to be completed.
• Controls Evaluation
  • Evaluate process and relevant IT controls
  • Perform testing to evaluate appropriateness and effectiveness of control design
  • Identify and communicate control deficiencies to management
  • Recommend required controls and guidelines to management
  • Allow time for management to remediate deficiencies prior to the initiation of the SAS 70 audit report period

Fieldwork

• Evaluate the operational and IT controls
• Perform testing to evaluate the appropriateness of the control design and effectiveness
• Identify control deficiencies
• Communicate any control design and effectiveness deficiencies to management

 Reporting

• Create initial SAS 70 draft report including verbiage from client for section two of the report
• Review draft of SAS 70 report with management
• Modify SAS 70 report based on discussions with management, if necessary
• Deliver final SAS 70 Type I or Type II report

Continued Support

• Work with client on any open items to ensure that they are addressed before next audit
• Discuss timing of next audit
• If needed, discuss the benefits of Type II vs. Type I so client and users of the report get the most value