SAS 115 audits are a critical checkpoint for organizations managing third-party service providers, but they directly drive up compliance costs and reshape your audit timeline. Understanding how these risk assessments influence scope and pricing helps you budget accurately and avoid surprises when engaging an auditor.
What Is SAS 115 and Why It Matters for Your Audit
Statement on Auditing Standards 115 requires auditors to evaluate the work of service organizations (like cloud providers, payment processors, or payroll vendors) when those vendors directly impact your financial reporting or internal controls. Rather than duplicating the entire audit of your service provider, your auditor relies on their SOC 2 report, SOC 3 audit, or a direct audit of that vendor—but only if specific conditions are met.
This creates a dependency: if your key vendors lack current, credible reports or control certifications, your external auditor must expand the scope of your engagement to compensate. That expansion translates directly to higher fees and longer fieldwork.
How SAS 115 Expands Audit Scope
When your auditor can't rely on a service provider's existing attestation, several things happen:
Direct testing of controls at the service organization is the most expensive option. Your auditor or a specialist auditor travels to the vendor's location (or performs remote walkthroughs) to test the controls claimed to exist. This typically adds 20–40 hours of audit time per vendor and can cost $3,500–$8,000 per vendor depending on complexity.
Increased substantive testing at your organization is the fallback. If your auditor can't access or trust the vendor's controls, they test more of your transactions, journal entries, and reconciliations to compensate. A mid-market company might see an additional 15–25 hours of fieldwork here.
Expanded risk assessment procedures mean your auditor spends more time understanding exactly which systems your vendor controls, what data flows between you, and where control gaps exist. This phase adds 8–15 hours upfront.
Typical Pricing Ranges for SAS 115 Impact
For a small to mid-market business (revenue $10M–$100M), a standard external audit ranges from $8,000–$25,000. SAS 115 considerations can increase that by:
- Minimal impact (one compliant vendor, good SOC 2): +$0–$2,000
- Moderate impact (two vendors, one lacking documentation): +$3,000–$7,000
- Significant impact (three or more vendors without attestations): +$8,000–$15,000+
Larger organizations with complex vendor ecosystems often pay $2,000–$5,000 per uncertified vendor for direct testing.
Steps to Control Your SAS 115 Audit Costs
Request vendor attestation reports early. Contact your payroll processor, cloud host, and payment processor now. Ask specifically for a SOC 2 Type II report (covers controls over time, not just a point-in-time snapshot). Most vendors provide these free or for $200–$500. This single step can cut your audit scope in half.
Prioritize vendors by risk. Not all vendors are equal. Your email provider matters far less than your bank or ERP system vendor. Work with your auditor to identify which vendors truly affect financial reporting, then focus certification efforts there first.
Plan vendor transitions strategically. If you're evaluating new vendors, include attestation/certification as a selection criterion. Switching costs are real, but a vendor without a SOC 2 report will cost you auditor fees repeatedly.
Document your vendor management process. Create a simple spreadsheet listing each critical vendor, their attestation status, and renewal date. Share it with your auditor. This demonstrates oversight and often allows your auditor to scope the work more efficiently, saving 5–10 billable hours.
What to Ask Your Auditor About SAS 115
When hiring an auditor or getting a proposal, ask directly: "Which of our vendors do you consider in-scope for SAS 115 testing, and what attestations do you require?" Push back on vague answers. A good auditor will list vendors by name and explain exactly what documentation reduces cost.
Also ask whether they'll accept vendor attestations your company already holds, or if they require their own verification. Some firms are flexible; others demand independence, which drives cost up further.
Mercoly helps you find and compare trusted audit and assurance providers who understand how to properly scope SAS 115 work and communicate pricing transparently.
Frequently Asked Questions
Q: If my vendor has a SOC 2 Type I report instead of Type II, will my auditor accept it? Probably not for high-risk vendors. Type I reports are a snapshot of controls at one moment; Type II covers at least six months of control operation. Auditors strongly prefer Type II. Push your vendor to upgrade.
Q: Can I use a vendor's SOC 3 report instead of SOC 2? Not for financial reporting controls. SOC 3 is marketing-focused and omits detailed control descriptions. SOC 2 Type II is the standard for SAS 115 work.
Q: How often do vendor attestations need to be current? Most auditors want reports no older than 12 months at audit date. If a vendor's SOC 2 expired six months ago, it's stale and your auditor will likely expand scope.
Get a clear SAS 115 scope and cost estimate from your auditor before you sign the engagement letter.