Frequently Asked Questions.

1. What is a SAS 70?
A SAS 70 is an audit which reports on the "processing of transactions by Service Organizations". SAS 70 stands for Statement of Auditing Standard # 70 from the American Institute of Certified Public Accountants (AICPA).

2. What is a "service organization"?
This is a company (i.e., vendor) that provides services to another corporation. Here are some common "service organizations":

• Payroll and Billing services
• Claims handling
• Credit processors
• Clearing houses
• Investment advisors
• Market Research Firms
• ASP's (Application Service Providers)
• DP's (Data Processing Centers)

All of these companies have one thing in common-they are all providing some type of outsourcing service, often handling sensitive or private data and conducting transactions with this very data.

3. What industries require "service organizations" to obtain a SAS 70 audit?

• Many industries are requiring vendors to obtain a SAS 70 audit. Here is a sample of them:
• Banking/Financial Sectors: From small regional, community banks to large multi national corporations, these organizations require SAS 70 audits annually from their vendors who are providing critical outsourcing services.
• Insurance Industry: Insurance corporations outsource many of their key processes to service organizations, thus SAS 70 audits are a vital component of this industry also.
• Trucking/Transportation industry: Service organizations routinely process docking tickets and other claims related documents which are deemed sensitive information, thus SAS 70 audits are deemed critical for this particular industry.

In short, as outsourcing various processes and transactions continues to grow, so will the need for SAS 70 audits.

4. What are the benefits of a SAS 70 audit?
SAS 70 certification has many advantages, such as illustrating to your clients that internal controls within your organization are in place and working as designed. Furthermore, SAS 70 audits allow corporations to distinguish themselves from the competition by using the document as a marketing tool. In essence, it allows the corporation who obtained a SAS 70 audit to show outside parties that their internal controls are operating effectively for a stated period.

5. Who will use a SAS 70 audit report?
Historically, a "service auditor's report" was simply used to communicate findings to another auditor; however, this is dramatically changing. Service organizations are now becoming quite creative by using these reports to market themselves and their respective product offerings to others.

6. Are their different types of SAS 70 reports?
Yes. There is a Type I and a Type II report.

• A Type I report simply is issued for a particular date. For example, a CPA firm would examine a company's controls on July 1, 2005 and report on the processing of transactions and these controls for that very same date: July 1, 2005.
• A Type II report is issued after a six-month testing period has been completed. For example, A CPA firm would examine a company's controls from July 1, 2005 to January 1, 2006 and report on the processing of transactions and these controls for that very same six month period. Unlike a Type I, which consists of inquiry and observation of controls, a Type II would include testing of controls.

7. Are there restrictions on distributing this report?
No. A service organization can distribute the report to any other third party, but it may only be used for informational purposes, with no reliance on the report. Traditionally, these reports have been limited to a select few, such as the ".management of the company, its user organizations, and the independent auditors of the user organizations."

8. Are SAS 70 audits new?
No. SAS 70 audits have been conducted since 1992. The demand for these audits have been spurred on by the Sarbanes-Oxley Act of 2002, the overall increasing complexity of I.T. transactions. Corporations who require SAS 70 audits and vendors who have to comply with SAS 70 audits all agree this type of engagement will continue to grow at an alarming rate.

9. How long is a SAS 70 report valid?
SAS 70 Type I and Type II reports are valid for one full calendar year from the date of issue.

10. Will an organization suffer from "business interruption" during a SAS 70 audit?
Many organizations express concern over the time and resources needed to conduct a SAS 70 audit, particularly when the scope includes observing and ultimately testing a large number of controls throughout many areas of a company. Reznick Group is sensitive to these concerns, and thus, strives to conduct SAS 70 engagements with the utmost efficiency and effectiveness. We schedule different phases of the audit to accommodate your most valuable resources-your employees and your time. Furthermore, we use a pioneering engagement process at the beginning of the audit which enables our Audit Assurance Team to gain valuable knowledge at the onset, thus minimizing repetitive processes and questions at a later date.

Our SAS 70 Experience

Reznick Group has performed SAS 70 engagements for the following industries:

• Payroll
• Third Party Administrators (TPAs)
• Benefit Administrators
• Application Service Providers (ASPs)
• Software Vendors
• Insurance and Financial Services
• Data Warehouses / Co-Locations and Managed Services
• Market Research Firms
• Internet Service Providers
• And many more…

About Reznick Group

A national leader in accounting, tax and business advisory services, Reznick Group is ranked among the top 20 public accounting firms in the United States, serving clients from a broad spectrum of industries. Founded in 1977, Reznick Group is headquartered in Bethesda, Md., and maintains 10 office nationwide. Reznick Group is a Certified Public Accounting Firm and a Professional Corporation.