SAS 70 Audits
The American Institute of Certified Public Accountants (AICPA) has developed Statement on Auditing Standards No. 70 (SAS 70) as the auditing standard for the examination of business and information technology controls within service organizations. Only an experienced independent certified public accounting firm can conduct and provide attestation opinions for SAS 70 audits.
While SAS 70 audits are necessary to achieve Sarbanes-Oxley compliance, they are not only reserved for publicly traded or highly regulated industries. The mitigation of customer risk is the responsibility of the process owner. As such, third-party servicing agreements often require annual SAS 70 audits so that the client can be assured that the service organization is operating in a diligent and risk-mitigating manner.
In the evaluation of observed process controls, there are two distinctly different types of reports, Type I and Type II.
A Type I report describes the service organization's description of controls at a specific point in time. A Type II report not only includes the service organization's description of controls, but also includes detailed testing of controls over a period of time at a minimum of six months.
In a Type I report, an opinion will be expressed on:
• whether the service organization's description of its controls presented fairly in all
material respects,
• whether the relevant aspects of the service organization's controls were placed in
operation as of a specific date, and
• whether the controls were suitably designed to achieve specified control objectives.
In a Type II report, an opinion will be expressed on the same items noted above and is enhanced, so to determine:
• whether the controls were operating with sufficient effectiveness to provide
reasonable, but not absolute, assurance that the control objectives were
achieved
during the period specified.