Service organizations that perform key services and/or provide data processing on an out-sourced basis are often asked by their customers for a SAS 70 report. Regulations such as Sarbanes-Oxley and others have increased the demand for these audits.

Simply put, SAS 70 audits are performed by CPAs ("service auditors") and provide assurance to the service organization's customers and their auditors that certain controls identified in the SAS 70 report are adequately designed and are operating effectively. These audits are divided into two classifications, Type I and Type II. A Type I can be considered a "point-in-time" audit, whereas a Type II engagement looks at the operating effectiveness of the identified controls over a period of time (usually at least six months).

LBMC has performed SAS 70 audits for:

• Data center and hosting services providers
• Benefits administrators
• Medical claims TPAs
• Application service providers
• Other service providers in various industries

The coverage and quality of SAS 70 reports can vary significantly from one service auditor to another. It is important to work with a service auditor who is knowledgeable and experienced in identifying, testing, and reporting on the types of controls that are important to the service organization's customers and their auditors.

Our multi-disciplined teams at LBMC have the financial and information systems auditing experience to ensure that companies undergoing a SAS 70 audit realize true benefits of the auditing process.

• What is a SAS 70 Audit?