Normal
0

false
false
false

EN-US
X-NONE
X-NONE

MicrosoftInternetExplorer4

Normal
0

false
false
false

EN-US
X-NONE
X-NONE

MicrosoftInternetExplorer4

Defining scope for a SAS 70 audit is fundamentally one of the most important
activities to be undertaken for the audit itself.  What's more, it’s a
collaborative process that is driven by your organization and the external CPA
firm conducting the SAS 70 audit. 

So, with that said, here are some of the finer points you need to identify
and discuss regarding SAS 70 audit scope:

1.  If a SAS 70 Type II audit is to be performed, identify the test
period (e.g. 6 months, 10 months, 12 months)

2. Identify all physical locations that will have to be visited for
fieldwork for the SAS 70 audit.

3. Identify all outsourcing providers that YOUR organization uses, as they may
be impacted and brought into the scope of the actual audit. Discus these vendors
with the CPA firm conducting the audit. Note: Data centers and managed service
providers are common entities that often fall into the scope of a SAS 70 audit,
so if you are using this type of facility, inform the auditors.

4. Identify and discuss the auditor's testing methodology; that is, how is
population and sampling arrived at, what frameworks and benchmarks/standards
are the auditors employing and what constitutes and "exception" in
the eyes of the auditing firm for purposes of the SAS 70 audit.

5. Discuss billing and pricing for the SAS 70 audit. Are you getting a fixed fee for the audit or
is it hourly? If a fixed fee, are there any other expenses that may also be
incurred outside of the fixed fee?