A service auditor's examination report ("SAS 70 audit report") is generally as of a point-in-time (e.g., September 30, 20xx) and, in the case of a Type 2 audit, will cover a specified period of time (e.g., January 1, 20xx to September 30, 20xx).

Most service organizations will have the SAS 70 audit conducted annually, because the user organizations and their auditors will need assurance that the service organization's controls are operating effectively for the current fiscal year of the user organization. There is no "SAS 70 renewal" from the standpoint of the service organization simply paying a fee to extend the results of their original SAS 70 audit. The service auditor must conduct a full and complete audit each year and report on the results. The description of controls in the service auditor's report may look the same from year-to-year, but the service auditor's procedures and/or tests will be new every year.

The PCAOB has elected not to establish any "bright lines" around when a SAS 70 audit report is no longer relevant or useful (refer to FAQ #25 in the PCAOB June 23, 2004 Staff Questions & Answers document). For public companies, it is up to the individual user organization and user auditor, respectively, to determine if the information contained in the SAS 70 audit report is current enough for purposes of management's assessment and for the planning of the user auditor's procedures.

If you need further information, contact us.

Comments are closed