SAS 70

SAS 70 or Statement on Auditing Standards No. 70, is the set of standards an auditor must use to audit and evaluate a service organization’s contracted internal controls. These standards have been developed since 1988 and are maintained by the American Institute of Certified Public Accountants (AICPA). After each audit, the auditor would release a report called the “Service Auditor’s Report.”

A service organization is a business organization or entity which offers outsourcing services that greatly affect the control environment of customers. Examples of service organizations are clearing houses, contracting enterprises, insurance claim processors, and hosted data centers.

SAS 70 is not merely a checklist of auditing basics; it is a meticulous and methodical audit used mainly as a respected guidance. Today, it is a very useful and significant auditing tool that illustrates transparency to the businesses that the service organization deals with.

Moreover, SAS 70 reveals to the prospective clients of a service organization that the organization has been comprehensively assessed. After passing SAS 70, an organization is considered to have sufficient safeguards and controls either when hosting specific information or dealing out information such as the data of the organization’s customers.

The popularity of SAS 70 has progressively grown with the realization of the Sarbanes-Oxley (Sarbox) Act. The Sarbox Act emphasizes the significance of employing SAS 70 as a vital resource to display the efficiency of the data security safeguards and internal controls of a service organization.

There are two types of SAS 70 reports:

  • Type I describes the degree to which the service organization characterizes its services about the controls executed in operations. It also describes how the organization sets to accomplish the objectives that are laid out.
  • Type II is similar to the first type, but with an additional section. This part incorporates the service auditor’s judgment on how efficient controls functioned during the defined period of the review (usually 6 months or more)
  • It should be noted that the Type II is more comprehensive because of the auditor’s opinion.The first type merely gives a list of the controls, but Type II evaluates how effective these controls were to guarantee that these controls are performing correctly. Because Type II is more thorough; hence, it is usually more expensive.

    Additional Reading on SAS 70