Specializing in SAS 70 Audits IS Partners, LLC | Certified Public Accountants
Home About Us Services Our Process Resources Contact Us
 

Frequently Asked Questions

1. What is a SAS 70?
2. What is a "service organization"?
3. What industries require "service organizations" to obtain a SAS 70 audit?
4. What are the benefits of a SAS 70 audit?
5. Who will use a SAS 70 audit report?
6. Are there restrictions on distributing this report?
7. Are SAS 70 audits new?
8. How long is a SAS 70 report valid?
9. Will an organization suffer from "business interruption" during a SAS 70 audit?

1. What is a SAS 70?
A SAS 70 is an audit which reports on the "processing of transactions by service organizations". SAS 70 stands for Statement of Auditing Standards No. 70 from the American Institute of Certified Public Accountants (AICPA).
top

2. What is a "service organization"?
This is a company (i.e., vendor) that provides services to another corporation. Here are some common "service organizations":

• Payroll and Billing Services
• Claims Handling
• Credit Processors
• Clearing Houses
• Investment Advisors
• Market Research Firms
• ASP's (Application Service Providers)
• DPC's (Data Processing Centers)

All of these companies have one thing in common - they are all providing some type of outsourcing service, often handling sensitive or private data and conducting transactions with this very data.
top

3. What industries require "service organizations" to obtain a SAS 70 audit?
Many industries are requiring vendors to obtain a SAS 70 audit. Here is a sample of them:

Banking/Financial Sectors: From small regional, community banks to large multi-
national corporations, these organizations require SAS 70 audits annually from their
vendors who are providing critical outsourcing services.

Insurance Industry: Insurance corporations outsource many of their key processes to
service organizations, thus SAS 70 audits are a vital component of this industry also.

Trucking/Transportation Industry: Service organizations routinely process docking
tickets and other claims-related documents which are deemed sensitive information,
thus SAS 70 audits are deemed critical for this particular industry.

In short, as outsourcing various processes and transactions continues to grow, so will the need for SAS 70 audits.
top

4. What are the benefits of a SAS 70 audit?
SAS 70 certification has many advantages, such as illustrating to your clients that internal controls within your organization are in place and working as designed. Furthermore, SAS 70 audits allow corporations to distinguish themselves from the competition by using the document as a marketing tool. In essence, it allows the corporation who obtained a SAS 70 audit to show outside parties that their internal controls are operating effectively for a stated period.
top

5. Who will use a SAS 70 audit report?
Historically, a "service auditor's report" was simply used to communicate findings to another auditor; however, this is dramatically changing. Service organizations are now becoming quite creative by using these reports to market themselves and their respective product offerings to others.
top

6. Are there restrictions on distributing this report?
No. A service organization can distribute the report to any other third party, but it may only be used for informational purposes, with no reliance on the report. Traditionally, these reports have been limited to a select few, such as the management of the company, its user organizations, and the independent auditors of the user organizations.
top

7. Are SAS 70 audits new?
No. SAS 70 audits have been conducted since 1992. The demand for these audits have been spurred on by the Sarbanes-Oxley Act of 2002, the overall increasing complexity of information technology transactions. Corporations who require SAS 70 audits and vendors who have to comply with SAS 70 audits all agree this type of engagement will continue to grow at an alarming rate.
top

8. How long is a SAS 70 report valid?
SAS 70 Type I and Type II reports are valid for one full calendar year from the date of issue.
top

9. Will an organization suffer from "business interruption" during a SAS 70 audit?
Many organizations express concern over the time and resources needed to conduct a SAS 70 audit, particularly when the scope includes observing and ultimately testing a large number of controls throughout many areas of a company. At IS Partners, we are sensitive to these concerns, and thus, strive to conduct SAS 70 engagements with the utmost efficiency and effectiveness. We schedule different phases of the audit to accommodate your most valuable resources - your employees and your time. Furthermore, we use a pioneering engagement process at the beginning of the audit which enables our Audit Assurance Team to gain valuable knowledge at the onset, thus minimizing repetitive processes and questions at a later date.
top

Go Back
Home | About Us | Services | Our Process | Resources | Contact Us
Our Leadership | Our Commitment | Internal Control Assessments | SAS 70 Audits | FAQ | Links
© 2006 Interactive Solutions. All rights reserved.