The American Institute of Certified Public Accountants (AICPA) has developed Statement on Auditing Standards (SAS) No. 70, Service Organizations. An audit performed in accordance with SAS No. 70 is widely recognized as it represents that a service organization has been through an in-depth audit of its control objectives and control activities. These typically include controls over information technology and related processes. Organizations hosting or processing information belonging to customers (service organizations) must demonstrate that they have adequate controls and safeguards. Additionally, Section 404 of the Sarbanes-Oxley Act of 2002 make SAS 70 audit reports even more important to the process of reporting on the effectiveness of internal control over financial reporting.
SAS No. 70 is the authoritative guidance that allows service organizations to disclose their control activities and processes to their customers and their customers' auditors in a uniform reporting format. The issuance of a service auditor's report prepared in accordance with SAS No. 70 signifies that a service organization has had its control objectives and control activities examined by an independent accounting and auditing firm. The auditor's report, which includes the auditor's opinion, is issued to the service organization at the conclusion of a SAS 70 examination.
SAS No. 70 does not specify a pre-determined set of control objectives or control activities that service organizations must achieve. It is not a "checklist" audit.
SAS 70 audits benefit both a service organization and a user. An unqualified opinion differentiates the service organization from its peers by demonstrating the establishment of effectively designed control objectives and control activities. The extensive review and testing can provide the opportunity for improvement in many operational areas, and ensures that all user organizations and their auditors have access to the same information.
User organizations receive a detailed description of the service organization's controls and an independent assessment of whether the controls were placed in operation, suitably designed, and operating effectively. The SAS 70 audit assists the user’s independent auditor in planning their financial audit limiting the need to incur additional costs in sending their auditors to the service organization to perform required procedures.
Types of SAS 70 Audits
Two types of SAS 70 Audits are conducted: Type I and Type II. A Type I report identifies the service organization's description of controls at a specific point in time. A Type II report includes the service organization's description of controls as well as detailed testing of the service organization's controls over a minimum six month period.
|
Report Contents
|
Type I
|
Type II
|
| 1. Independent service auditor's report (an opinion). |
Included |
Included |
| 2. Service organization's description of controls. |
Included |
Included |
| 3. Information provided by the independent service auditor; includes a description of the service auditor's tests of operating effectiveness and the results of those tests. |
Optional |
Included |
| 4. Other information provided by the service organization (e.g. glossary of terms). |
Optional |
Optional |
In a Type I report, the service auditor will express an opinion on (1) whether the service organization's description of its controls presents fairly, in all material respects, the relevant aspects of the service organization's controls that had been placed in operation as of a specific date, and (2) whether the controls were suitably designed to achieve specified control objectives.
In a Type II report, the service auditor will express an opinion on the same items as a Type I report, and (3) whether the controls that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives were achieved during the period specified.