Statement on Auditing Standards No. 70: Service Organizations, commonly abbreviated as SAS 70, is an auditing statement issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA), officially titled “Reports on the Processing of Transactions by Service Organizations”.

SAS 70 defines the professional standards used by a service auditor to assess the internal controls of a service organization and issue a service auditor’s report. Service organizations are typically entities that provide outsourcing services that impact the control environment of their customers. Examples of service organizations are insurance and medical claims processors, trust companies, hosted data centers, application service providers (ASPs), managed security providers, credit processing organizations and clearinghouses.

There are two types of service auditor reports:

A Type I service auditor’s report includes the service auditor's opinion on the fairness of the presentation of the service organization's description of controls that had been placed in operation and the suitability of the design of the controls to achieve the specified control objectives.

A Type II service auditor’s report includes the information contained in a Type I service auditor's report and also includes the service auditor's opinion on whether the specific controls were operating effectively during the period under review.

About this workshop

Statement of Auditing Standards (SAS) # 70 is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA).  The SAS 70 was adopted by AICPA as a standard in 1992. Increased outsourcing and the visibility of control requirements introduced in Section 404 of the Sarbanes-Oxley Act of 2002 have generated a large interest in SAS 70 examinations.

A SAS 70 audit or service auditor's examination is widely recognized, because it represents that a service organization has been through an in-depth audit of their control activities, which generally include controls over information technology and related processes.  In today's global economy, service organizations or service providers must demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers.  In addition, the requirements of Section 404 of the Sarbanes-Oxley Act of 2002 make SAS 70 audit reports even more important to the process of reporting on effective internal controls at service organizations.

A SAS 70 examination indicates that a service organization has had its control objectives and activities examined by an independent auditing firm.  A formal report including the auditor's opinion ("Service Auditor's Report") is issued to the service organization at the conclusion of a SAS 70 examination. SAS 70 is not a pre-determined set of control objectives or control activities that service organizations must achieve.

Benefits

On completion of this course, participants will get a better understanding of

• What a SAS 70 audit is
• Control objectives in scope for a SAS 70 audit
• Key issues for the user and service organization
• How to prepare for a SAS 70 audit
• How to determine the appropriate scope and control objectives
• Conducting and reporting the results of a SAS 70 audit
• How to leverage other compliance efforts

Benefits to the Service Organization

• A Service Auditor's Report with an unqualified opinion that is issued by an Independent Accounting Firm differentiates the service organization from its peers by demonstrating the establishment of effectively designed control objectives and control activities. 
• A Service Auditor's Report also helps a service organization build trust with its user organizations (i.e. customers).
• A SAS 70 engagement allows a service organization to have its control policies and procedures evaluated and tested (in the case of a Type II engagement) by an independent party.  Very often this process results in the identification of opportunities for improvements in many operational areas.

Benefits to the User Organization

• User organizations that obtain a Service Auditor's Report from their service organization(s) receive valuable information regarding the service organization's controls and the effectiveness of those controls. 
• The user organization receives a detailed description of the service organization's controls and an independent assessment of whether the controls were placed in operation, suitably designed, and operating effectively (in the case of a Type II report).