At the conclusion of a SAS No. 70 service auditor's examination ("SAS 70 audit"), the service auditor renders an opinion on the following:

  • Whether or not the service organization's description of controls is presented fairly.
  • Whether or not the service organization's controls are designed effectively.
  • Whether or not the service organization's controls are placed in operation as of a specified date.
  • Whether or not the service organization's controls are operating effectively over a specified period of time. (Type 2 only).

When the service auditor concludes that the above items have been accomplished, the service auditor renders what is referred to as an "unqualified opinion." While a SAS 70 audit is technically not a "pass" or "fail" audit, the receipt of an unqualified opinion from the service auditor is often referred to as "passing" the audit.

When the service auditor's procedures reveal exceptions or control deficiencies, the service auditor may conclude that a control objective could not be achieved due a design deficiency or an operating effectiveness deficiency. When this occurs, the service auditor will "qualify" the opinion to indicate that a control objective could not be achieved. The receipt of a qualified opinion from the service auditor is sometimes referred to as "failing" the audit. This view of audit failure is also technically not accurate, because a qualified opinion does not necessarily imply that other control objectives could not be achieved. For example, a service organization might have 15 control objectives, and the service auditor may conclude that one (1) of the 15 objectives could not be achieved. While the opinion would be "qualified", the other 14 objectives would be achieved, and would still be of benefit to the users of the service organization.

If you need further information, contact us.



Comments are closed
KR Meacham commented on 18-Jun-2010 03:56 PM
If you "pass" the audit, are you then considered SAS 70 certified or compliant? Is there a particular way it should be expressed?
james Lavin commented on 21-Sep-2010 09:24 AM
I run a physical co-location caged environment, so we are not responsible for the network in anyway, just the physical infrastructure, space, power and cooling. We are asked about SAS 70 compliance, but I'm not sure what it means in our context, or whether this is something that the user has to worry about.

Thanks