Service organizations that contemplate obtaining a SAS 70 audit often inquire about obtaining independent certification against one of the ISO 9000 standards.

SAS 70 is an auditing standard designed to enable an independent auditor to evaluate and issue an opinion on a service organization's controls. The audit report (i.e. the service auditor's report) contains the auditor's opinion, a description of the controls placed in operation, and description of the auditor's tests of operating effectiveness (if the report is a Type II). The audit report can be shared with the service organization's customers ("user organizations") and their respective auditors ("user auditors"). The service organization is responsible for describing its control objectives and control activities that would be of interest to user organizations and the respective user auditors.

SAS 70 is not a pre-determined set of standards that a service organization must meet to "pass".

ISO is the International Organization for Standardization. It is made up of some 140 national standards institutes from countries large and small in all regions of the world. ISO develops voluntary technical standards which serve to safeguard consumers and general users of products and services.

ISO 9000 is a family of standards that addresses quality management systems within an organization. When an organization has a management system certified to an ISO 9000 standard, this means an independent auditor has checked that the processes influencing quality conform to the relevant standard's requirements. The primary objective is to give the organization's management and its customers confidence that the organization is in control of the way it does things. An organization that engages an independent auditor or certification body to check their processes receives a certificate of conformity from the auditor/certification body.

ISO 9000 lays down what requirements an organization's quality system must meet, but the standards do not dictate how they should be met. Revisions to the ISO 9000 family of standards occurred in late 2000 to reduce the number of standards; provide more explicit requirements for achieving customer satisfaction and continual improvement; provide a more logical structure; and the provide the definition of eight universal quality management principles. Effective, December 15, 2000, the ISO 9000 standards were revised as follows:

  • ISO 9000:2000, Quality management systems - Fundamentals and vocabulary
  • Establishes a starting point for understanding the standards and defines the fundamental terms and definitions used in the ISO 9000 family.
  • ISO 9001:2000, Quality management systems - Requirements
  • Revised to include concepts from the former ISO 9001, 9002, and 9003 standards. The standard now has five key sections: Product realization; Quality management system; Management responsibility; Resource management; and Measurement, analysis and improvement. It is now the only standard in the ISO 9000 family against which third-party certification can be performed and carried.
  • ISO 9004:2000, Quality management systems - Guidelines for performance improvements
  • This guideline standard provides guidance for continual improvement in a quality management system to benefit all parties through sustained customer satisfaction.

To better compare elements of SAS 70 and ISO 9001:2000, we have prepared the following table:

  • Area of Comparison

  • SAS 70

  • ISO 9000

  • Who can perform the audit or certification?
  • A certified public accounting firm with the appropriate skill set.
  • Accredited registrars authorized by the ISO.
  • What is the final deliverable resulting from the audit or certification?
  • A service auditor's report containing the audit opinion, the organization's description of controls, and a description of the auditor's tests of operating effectiveness.
  • A registrar report with scored results plus a certificate.
  • Can this type of engagement satisfy the customer's external financial audit requirements?
  • Yes, usually.
  • No.
  • Can the evaluation criteria be customized?
  • Yes, the service organization is responsible for describing the controls that will be disclosed in the service auditor's report.
  • No, but the scope can be tailored.
  • What areas of the organization's processes are generally covered in this type of engagement?
  • Control environment, control activities, risk assessment processes, information and communication processes, and monitoring processes.
  • Quality Management processes, which include operational processes. 
  • What types of controls are generally evaluated and tested in this type of engagement?
  • Organizational controls, application development and maintenance controls, logical security and access controls, application controls, system maintenance controls, data processing controls and business continuity controls.
  • None.
  • Are the results of the auditor's procedures disclosed at the conclusion of the engagement?
  • Yes, in a Type II engagement.
  • No.
  • Are findings and recommendations presented to the organization as part of the engagement?
  • Yes, usually.
  • Findings, but not recommendations 

If you need further information, contact us.

Comments are closed
diego commented on 31-Mar-2011 02:09 PM
I wonder if us give us a trainnig of this or where you recommend study this review. Not if necesary make in Argentina its possible go to other country
Alberto Rodriguez commented on 22-Jun-2011 01:52 PM
What certified public accounting firms are all ready SAS 70 certify and in witch Countries.