Statement on Auditing Standards (SAS) No. 70, Service Organizations, is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA). A SAS 70 audit is widely recognized because it represents that a service organization has been through an in-depth audit of their control activities. A SAS 70 review generally includes controls over transaction processing, systems and related processes.
SAS 70 reviews are applicable to any organization providing services for other organizations. These services include processing transactions related to financial statements and encompass application service providers, third party administrators (TPAs), bank trust departments, claims processing centers, internet data or other data processing service centers and outsourcers. Interested parties in the results of a SAS 70 review include:
- Customers of a service organization who want assurance that the organization has a system of internal controls in place to protect the customer’s data
- Auditors of a customer who want assurance that there are controls in place to protect their customer’s data
- The service organization which has an independent audit of the controls it has in place to provide assurance to customers and potential customers of the integrity of their processes
- Auditors of the service organization who obtain a detailed independent audit of the company’s system of internal controls
Agreed Upon Procedures
When a complete SAS 70 audit is not required, but you want a specific group of accounts, procedures or controls evaluated or reviewed, an Agreed Upon Procedures engagement may fit your needs.
Auditing your agreed upon procedures can involve reviewing accounts, procedures or controls to evaluate their effectiveness or accuracy. Agreed upon procedure engagements will review compliance of the processes you previously dictated. We add our auditing, accounting and risk services expertise when needed to advise you on a specific or finite course of action.
In many cases, an agreed upon procedures engagement examines service level agreements (SLAs), contract compliance, benefit plan compliance or contracts for services between two parties. These are just examples of the types of accounts, agreements and contracts that can be examined in an agreed upon procedures engagement. Upon completion of the agreed upon procedures engagement, a report is issued for your review, often with suggestions and recommendations.
We have the experience your company needs. Because of our risk services expertise in performing SAS 70 audit and reviews in multiple industries, we are able to draw upon the knowledge and experience necessary to deliver extraordinary results to your organization. To learn more about our SAS 70 and SSAE 16 services, please contact us today.
We help you fulfill the fiduciary responsibilities of your benefit plans by helping you focus on the interests of plan participants and beneficiaries. Our affiliate, Benefit Plans Plus LLC, offers a Fiduciary Health CheckTM that identifies opportunities, improves procedures and enhances systems.
We help you comply with HIPAA regulations by performing a gap analysis, constructing implementation plans or providing policies, procedures and resources. We can also assist you in assessing the business impact of HIPAA regarding the applicability of regulations, and its effect on business processes, controls and reporting requirements.
Payment Card Industry Services (PCI)
Payment card risk advisory services help to ensure protection of your customers’ privacy. Businesses rely on credit or debit cards to process monetary transactions every day. However, there are constant unsolicited and illegal attempts to access the cardholder data contained in those transactions. It is more important than ever for your business to have controls in place to adequately protect consumer information.
In 2004, VISA and MasterCard security standards were endorsed by the four other card brands creating the Payment Card Industry (PCI) Data Security Standard. This unified information security program was designed to protect credit card data based upon fundamental security controls. Compliance with the PCI Data Security Standard is required of all merchants and service providers that store, process or transmit cardholder data.
Brown Smith Wallace Risk Advisory Services can help your organization achieve and maintain PCI compliance. We can assist your organization with the following services:
- PCI DSS guidance and planning
- PCI QSA on-site audit