No, not necessarily. An organization may have many business units, one of which may process transactions or provide data processing services for its customers. Therefore, the SAS 70 audit could focus on just that business unit. The service auditor's report can be customized to specifically identify the applicable data centers, operating environments, and applications that are covered in the audit.

Since a SAS 70 engagement is generally designed to provide user organizations and their auditors information about the service organization's internal control environment, there are some control elements at the organization level that would probably be touched upon in a SAS 70 engagement. For example, organization-wide Human Resource policies and procedures may be an important control activity for a specific data center or application group.

If you need further information, contact us.

Comments are closed