What is SAS 70?

AICPA Statement on Auditing Standards No. 70 (SAS 70) has existed for several years. Its basic purpose is to permit service organizations to report on its controls to its clients and their auditors.  SAS 70 reports are typically requested by clientele when services provided by another organization are significant to the user’s financial statements, transactions or business processes.  A SAS 70 report contains a description of the processes and controls that a service provider performs and an audit opinion. This report is often requested by the company’s auditor in order to assess the controls provided by the service organization.

Why SAS 70?

 

•Demonstrate  that your processes and systems satisfy the objectives your clients expect

•Represent that your business fits the demands of the current regulatory environment and can hold up to  security and controls scrutiny

•Differentiate yourself from your competitors

•One audit engaged by you instead of multiple ones imposed by your clients

The Effect of SOX on Service Providers

The Sarbanes-Oxley Act of 2002  (SOX) has dramatically altered the way in which publicly traded companies manage their businesses.  The surprising side-affect is the impact on service providers, who may not be publicly traded, but provide services to publicly traded companies.

Section 404 of SOX requires public companies to document, evaluate and assert to the effectiveness of their internal controls over financial reporting, included the information technology environment which supports it.  Service organizations often become part of the processes and controls of the company and therefore become a subject of the internal control audit process.  This is why public companies are often asking their service provider for a SAS 70 report.  The SAS 70 report provides the company’s auditor with the necessary information to evaluate the controls provided by the service organization without having to audit the service provider themselves.

Types of SAS 70 Reports

There are two types of service auditor reports: Type I and Type II, which have a different level of opinion.  Differences between these are illustrated in the chart below.  Since a Type I report does not include an opinion on control operating effectiveness (i.e. controls placed in operation are performing as expected based on our testing), a Type II report is required most often by user organizations and their auditors.