SAS 70 Overview
Statement on Auditing Standards (SAS) No. 70, Service Organizations, was a widely recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA). A service auditor's examination performed in accordance with SAS No. 70 (also commonly referred to as a "SAS 70 Audit") represents that a service organization has been through an in-depth examination of their control objectives and control activities, which often include controls over information technology and related processes. In today's global economy, service organizations or service providers must demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers. In addition, the requirements of Section 404 of the Sarbanes-Oxley Act of 2002 make SAS 70 audit reports even more important to the process of reporting on the effectiveness of internal control over financial reporting.
For nearly 18 years, SAS No. 70 was the authoritative guidance that allowed service organizations to disclose their control activities and processes to their customers and their customers' auditors in a uniform reporting format. The issuance of a service auditor's report prepared in accordance with SAS No. 70 signifies that a service organization has had its control objectives and control activities examined by an independent accounting and auditing firm. The service auditor's report, which includes the service auditor's opinion, is issued to the service organization at the conclusion of a SAS 70 examination.
SAS No. 70 provides guidance to enable an independent auditor ("service auditor") to issue an opinion on a service organization's description of controls through a Service Auditor's Report (see below). SAS 70 does not specify a pre-determined set of control objectives or control activities that service organizations must achieve. Service auditors are required to follow the AICPA's standards for fieldwork, quality control, and reporting. A SAS 70 Audit is not a "checklist" audit.
SAS No. 70 is generally applicable when an independent auditor ("user auditor") is planning the financial statement audit of an entity ("user organization") that obtains services from another organization ("service organization"). Service organizations that impact a user organization's system of internal controls could be application service providers, bank trust departments, claims processing centers, data centers, third party administrators, or other data processing service bureaus.
In an audit of a user organization's financial statements, the user auditor obtains an understanding of the entity's internal control sufficient to plan the audit as required in SAS No. 55, Consideration of Internal Control in a Financial Statement Audit. Identifying and evaluating relevant controls is generally an important step in the user auditor's overall approach. If a service organization provides transaction processing, data hosting, IT infrastructure or other data processing services to the user organization, the user auditor may need to gain an understanding of the controls at the service organization in order to properly plan the audit and evaluate control risk. st
In 2011, Statement on Standards for Attestation Engagements (SSAE) No. 16 took effect and replaced SAS 70 as the authoritative guidance for performing a service auditor's examination. SSAE 16 established a new attestation standard (AT 801) to contain the professional guidance. You can learn more about SSAE 16 at www.ssae16.com. At the same time, the AICPA also launched a new Service Organization Controls (SOC) reporting framework designed to allow practitioners to provide different types of reports depending on the needs of service organization and their stakeholders. The AICPA has a web page dedicated to providing more information.