A SAS 70 audit can only be performed by an independent certified public accountant (CPA) or firm. CPA firms that perform SAS 70 audits must adhere to specific professional standards established by the American Institute of Certified Public Accountants (AICPA). Licensed public accounting firms are required to follow specific guidance related to planning, execution, and supervision of the audit procedures and the reporting of the results of the audit. In addition, public accounting firms are required to undergo a peer review to ensure that their firm's audits are conducted in accordance with the applicable professional standards. Specific practicing requirements may vary depending on the requirements of the applicable State Board and/or other governing bodies.

The CPA firm, of course, may employ non-CPA professionals that have relevant business process, information technology, or security skills to participate in a SAS 70 engagement. However, the final report must be reviewed and issued by a CPA. This is particularly important if a user organization's auditors plan to rely on the results of service auditor's tests of operating effectiveness.

There is currently no specific list of authorized SAS 70 service audit providers. However, a good place to start is a nationally recognized public accounting firm. When a service organization selects an audit firm to perform their SAS 70 audit, the service organization should consider the following:

  • Experience in performing SAS 70 audits (i.e., service auditor's examinations)
  • Relevant industry experience (e.g., financial services, technology, telecommunications, health care, etc.)
  • Skilled audit professionals that understand the business and information technology (IT) controls and processes
  • Availability of resources (i.e., bandwidth to deliver the services on time)
  • Project management skills


If you need further information, contact us.

Comments are closed
David Pitra commented on 28-Jun-2010 12:38 PM
Good morning,

some our clients want realize SAS 70 audit Type I and Type II in Europe (in Europe is not SAS 70 so known).

If I have good information, we need to be certified as CPA and than we can realize SAS 70 audits... or is some other licence or training from your organization needed?

Thank you for you answer.

With regards
Abhijeet U commented on 24-Dec-2010 05:45 AM
Can a SAS 70 audit be performed by an independent Certified Information Systems Auditor (CISA), a professional certified by ISACA for information technology audit? Your inputs would be valuable.
Nitin commented on 06-Jan-2011 09:52 AM
What is the relevance & significance of SAS 70 audit to the Companies in India.. Thanks..
Mahen commented on 10-Jan-2011 09:54 PM
Can a SAS 70 Type II report can be done without Type I report.
Tampa Bay Photography commented on 17-Jan-2012 12:35 PM
I've just found out that our bank is requiring us to have a SAS70 audit. Can our accountant perform this (he is a CPA), or do we need to have an outside firm do this? Thanks,
Tampa Photographer