Sas-70

By Author: Robert Brown
Total Articles: 3764
Comment this article

A SAS-70 audit on an organization shows that the organization has had a comprehensive audit of their control objectives and activities. The SAS-70 provides guidelines on how an auditing firm should conduct an audit for an entity that uses a service organization for some or all of its business operations and are registered with the U.S. Securities and Exchange Commission (SEC). SAS-70s are normally done for organizations that provide services to an entity. For their benefit, the entity may ask your organization to provide a report for internal controls which is where the SAS No. 70 comes into play. (SAS) No. 70, is a widely recognized auditing standard developed and maintained by the American Institute of Certified Public Accountants (AICPA). The SAS-70 therefore assures entities that their data is safe when being handled by a third party organization.

The audit includes controls over information technology and related processes in industries such as finance and accounting, payroll, insurance, software vendors, data centers, investments and funds accounting and many others. Service organizations must demonstrate and provide ...
... assurance that they have adequate controls and safeguards when they provide outsourced service processes to their customers.

Once the audit is complete and successful, the service organization is issued a service auditor's report that signifies that a service organization has had its control activities assessed and audited by an independent auditing firm. The service auditors report is prepared in accordance with SAS-70 rules and guidelines.

SAS No. 70 has now become the authoritative tool that allows service organizations to disclose their control activities and processes to their customers and their auditors in a uniform reporting format.

SAS No. 70s are classified under two Service Auditor's Reports: Type I and Type II.

In a Type I report, an auditor describes the controls of the service organization at a particular date.

In a Type II report, an auditor describes the controls audited and includes detailed tests conducted over a minimum period of six months.

The two reports contain an independent opinion by the auditor as to the suitability of the controls, a description of the controls, the control objectives, the key controls that are in place to achieve those control objectives, the control considerations to be used by entities that use that particular service organization, the tests conducted and their results as well as any other information that may have been provided by the service organization.

The SAS-70 when completed, is of significant value to both the service organization and its user organization. This is true because it provides assurance that internal controls over outsourced systems are effective for the service organization customers as well as the independent auditors of the customers. The service organization therefore differentiates itself from its peers. This can also help a service organization build trust with its customers. The customers are able to receive a detailed description of the service organizations' controls and their effectiveness.