Quick Links


Home > Trends & Insights > Five Keys to Success for Your SAS 70 Project



Wednesday, October 6, 2010

Five Keys to Success for Your SAS 70 Project

A SAS 70 project requires careful planning, execution and communication between the company and the SAS 70 consultant. Since another company’s auditors will be relying on the SAS 70 report generated, getting it right in a quality manner the first time is very important. Here are the top five things your company can do to make the project efficient, effective and successful for all involved.

Set a Proper Scope: Setting proper scope is crucial to producing an effective SAS 70 report. Management should leverage a risk-based approach for the creation of a SAS 70. This evaluation process should ensure sufficient understanding of how each risk can impact your customers’ operations and financial reporting. In turn, this will help to identify the proper scope and eliminate control objectives and business processes that are not critical to your customers.

Identify the Correct Project/Reporting Period: Many companies will align their SAS 70 with their own year-end or the calendar year-end without investing the time to determine the impact of this decision. If you are a company with a December 31st year-end you will be starting your year-end close and financial reporting responsibilities shortly after the end of the calendar year. Combine this with vacations from the holidays, and your staff may be stretched during this important time of year. Armanino recommends evaluating your peak times during the year along with your customers’ fiscal year-end to determine the most appropriate timing for the SAS 70 project. This evaluation will typically identify alternative dates for SAS 70 project periods that meet your customers’ needs while occurring in a non-peak time for you business.

Request Appropriate Lead Time from Your Service Provider: Many SAS 70 providers will not provide a document request until they arrive on site for fieldwork. This means that your team will have less time to pull the requested samples and ensure they meet the service provider’s needs. By establishing proper lead times with your service provider, the necessary evidence can be gathered in advance of the team’s arrival; thereby, increasing their efficiency, reducing the impact to your people, and in turn, reducing their overall cost.

Properly Define the Control Language: Many organizations make errors when defining their key control activities that are included in the SAS 70 report. The language will either be too general or too restrictive, both of which make reliance on the SAS 70 report difficult. If the control language is too general, your customers’ auditors will find it difficult to understand exactly what is being tested and what the results are. If the control language is too restrictive, it will drastically increase the likelihood that the SAS 70 report will include exceptions. These exceptions will reduce your customers’ ability to rely on the report as they had intended. By defining key control activities at the proper level of detail without making them overly restrictive you can ensure that the report will have the necessary detail for your customers without increasing your likelihood of encountering testing failures and exceptions.

Clear Client Ownership for the Project: A SAS 70, like any other project, will require some level of effort from client personnel. We have found that it is imperative that the client assign a clear owner for the project to ensure that client personnel are working effectively and efficiently with the SAS 70 service provider. That way, the project will remain on schedule, on budget and achieve the desired outcomes for all parties. Our experience has shown that the number one factor in increasing the overall cost of a SAS 70 project is lack of ownership and oversight by the client.


comments powered by Disqus