Since service organizations are responsible for describing their controls and defining their control objectives, there is no published list of SAS 70 standards. Generally, the control objectives are specific to the service organization and their customers.

However, there are some great sources of control objectives and other published standards that can be used to prepare for a SAS 70 audit or another type of third party assurance.

The Information Systems Audit and Control Association (ISACA) publishes a set of control objectives referred to as "CoBIT". Information on CoBIT and how to purchase the latest editions are on the ISACA website at

Another great source of guidance is the WebTrust Principles and Criteria and the SysTrust Principles and Criteria. Both are available from the AICPA website and can be downloaded for free at Each principle has specific criteria elements and illustrative controls that can serve as a baseline for your organization.

The IT Governance Institute has published a very handy reference guide entitled "IT Control Objectives for Sarbanes-Oxley". You can download a PDF copy of this powerful research tool which maps many of the CobIT control objectives to the widely-recognized COSO framework for internal control. The control objectives contained in this document could be used as the basis or framework for a SAS 70 service auditor's examination.

Many organizations engage a professional services firm to perform a pre-assessment validation against the recommended controls to determine if the organization is truly prepared for a third party audit.

Audit programs and checklists should be developed by the service auditor and be as specific to the environment as possible.

If you need further information, contact us.

Comments are closed
Pam Preston commented on 07-Mar-2011 01:30 PM
What is looked for in a SAS 70 in regards to Provider NPI numbers?