SAS 70
SAS 70 stands for Statement on Auditing Standard 70 and it was developed by the American Institute of Certified Public Accountants. It is a “Report on the Processing of Transactions by Service Organizations” where professional standards are set up for a service auditor that audits and assesses internal controls of a service organization, a business or entity that provides outsourcing services.
Some of the many types of service organizations can be insurance claim processors, data centers, credit processing companies, and clearing houses.
SAS 70 is not just a checklist audit; it is a thorough audit used as an authoritative guide. It shows transparency to the businesses that the service organization works with. It also shows the service organizations prospective clients that the service organization has been thoroughly checked.
SAS 70 has grown with the implementation of the Sarbanes-Oxley Act (Sarbox or Sox) as an important resource to show the effectiveness of a service organization’s internal controls and data security safeguards.
The Two Types of SAS70 Reports
The first type is commonly referred to as Type I and includes an opinion written by the service auditor.
Type II reports have an additional section that includes the service auditor’s opinion on how effective controls operated under the defined review period.
There is a substantial difference between the Type I and Type II reports. Type II reports are more through, because the auditors gives an opinion on how effective the controls operated under the defined period of the review, while Type I only lists the controls.
Advantages for Using SAS 70 Reports
SAS 70 audits are costly and time consuming but they offer many advantages for the service organizations that use them.
For example it provides transparency and builds trust with its customers through having its controls and operations independently verified by an unbiased third party.This report can be requested by the customers.
Another advantage is that when an SAS 70 Type II Report is conducted, it can show many weaknesses or areas that can be improved.
SAS 70 Reports are extremely advantageous to user organizations too, because they can assess controls and safeguards. The reports that they receive are full of details describing the service organizations specific controls and in Type II reports, the effectiveness of controls and safeguards.
