SAS 70 FAQ's


01. What are the differences between SAS 70 and the ISO 9000 family of standards?
02. Who can perform a SAS 70 audit? What should the service organization look for?
03. Does the entire organization have to be audited?
04. How are SAS 70 audit reports generally distributed?
05. What are the contents of a SAS 70 report?
06. How do I read a SAS 70 audit report?
07. What if my service provider does not have a SAS 70 audit performed?
08. Can a SAS 70 audit be performed outside of the United States?
09. What is SysTrust? What is the difference between a SAS 70 audit and a SysTrust audit?
10. What is WebTrust?
11. Is there a baseline standard for how a service organization should disclose its controls?
12. How can a service provider prepare for a SAS 70 audit?
13. Where can I get a copy of the SAS 70 audit standard?
14. Is there a list of SAS 70 standards, control objectives, or checklists?
15. What is ISO 17799? What is BS 7799?
16. How much does a SAS 70 audit/examination cost?
17. Can I have a control objective related to Business Continuity and/or Disaster Recovery?
18. What is Sarbanes-Oxley? What do Service Organizations need to know?
19. How does a service organization "pass" or "fail" a SAS 70 audit?
20. How often does a SAS 70 audit need to be renewed? Does a SAS 70 audit ever expire?
21. Can I display the SAS 70 shield logo on my website?
22. Is SAS 70 going to be replaced? What are ISAE 3402 and SSAE 16?

More About SAS 70

Latest News

  • June 25, 2010

    AICPA webcast on New Service Organization Reporting Standards
    The AICPA will be hosting a webcast on June 28, 2010 at 2:00pm (Eastern Time) entitled "SAS 70 the Next Generation: Planning for the New Service Organization Standards."  Visit the AICPA website (http://www.aicpa.org) for further information and to register for the webcast.

  • May 10, 2010

    10th Anniversary - New Site Design
    We've celebrated 10 years of being on the internet by redesigning the site for a better viewing experience.  Stay tuned for more site updates and new features.

  • February 17, 2010

    New ISAE 3402 and SSAE 16 pages
    We've launched new pages to provide you with information on the new International (ISAE 3402) and US (SSAE 16) Standards on Service Organization Reporting.                     

  • January 29, 2010

    Statement on Standards for Attestation Engagements (SSAE) No. 16
    The Auditing Standards Board (ASB) of the AICPA has issued Statement on Standards for Attestation Engagements (SSAE) No. 16, “Reporting on Controls at a Service Organization.”  This new Standard is similar to the global standard (ISAE 3402).  SSAE No. 16 will supersede SAS No. 70. The effective date for SSAE No. 16 will be for service organization reports with periods ending on or after June 15, 2011.

Prev Next