At the conclusion of a SAS 70 audit engagement, the service auditor will issue a Service Auditor's Report. The audit reports are then provided to the service organization for distribution to their respective user organizations (i.e. customers) and the independent auditors of the user organizations (i.e. user auditors). The user organizations are usually responsible for obtaining the audit report from the service organization and then distributing it to their auditors.

Guidelines for distributing Service Auditor's Reports should be formally communicated between the independent service auditor and the service organization. For example, an engagement letter between the independent service auditor and the service organization should discuss the restricted use of the Service Auditor's Report and expectations regarding distribution of the report.

Tips for obtaining a Service Auditor's Report: User Organizations

If you suspect that your service provider has received an independent service audit under SAS 70, you should request copies of the report for your own use and for distribution to your auditors. Hopefully, your service provider will provide you with an account executive that can assist in obtaining the audit report. Otherwise, consider contacting the following individuals/departments at your service provider:

  • Office of the Controller
  • Internal Audit department
  • Sales and Marketing department
  • Information Systems department

Tips for obtaining a Service Auditor's Report: User Auditors

As part of planning the financial statement audit for an organization that uses a third party service provider, the user auditor is required to consider the internal control environment at the service organization. A Service Auditor's report can assist the user auditor in gaining an understanding of the service organization's controls. User auditors should generally request the Service Auditor's Report from their traditional audit contacts (i.e. personnel in the accounting or finance function) at the user organization.

If you need further information, contact us.

Comments are closed
jason commented on 18-Jun-2010 01:08 PM
we are electronic security system company and a prospective client requires sas70. what do we need to do to conform with this?