The AICPA (American Institute of Certified Public Accountants) developed and maintains the SAS 70 (Statement on Auditing Standard 70). Specifically, SAS 70 is a “Report on the Processing of Transactions by Service Organizations” where professional standards are set up for a service auditor that audits and assesses a service organization’s internal controls. At the end of the audit, the service auditor issues an important report called the “Service Auditor’s Report.”
A service organization can be defined as a business or entity that provides outsourcing services. These outsourcing services can, and in most cases, impact the customers’ control environment. Some of the many service organizations can be insurance claim processors, data centers, credit processing companies, and clearing houses.
It should be noted that SAS 70 is not a bare bones checklist audit. It is an extremely thorough audit that is used chiefly as an authoritative guide. In today’s market, it is a very helpful and substantial audit that shows transparency to the businesses that a service organization works with. In addition, it shows the service organization’s prospective clients that the service organization has been thoroughly checked and deemed to have satisfactory controls and safeguards either when hosting specific information or processing information such as data belonging to customers that they do business with.
SAS 70 has grown increasingly popular with the implementation of the Sarbox Act. The Sarbanes-Oxley Act (usually referred to as Sarbox or Sox) adds importance to implementing SAS 70 as an important resource to show the effectiveness of a service organization’s internal controls and data security safeguards.
History and Timeline
|Statement||Date Issued||Title of Statement|
|SAP No. 29||October 1958||Scope of the Independent Auditor’s Review of Internal Control|
|SAP No. 41||November 1971||Reports on Internal Control|
|SAP No. 54||November 1972||The Auditor’s Study and Evaluation of Internal Control|
|SAS No. 3||December 1974||The Effects of EDP on the Auditor’s Study and Evaluation of Internal Control|
|SAS No. 44||December 1982||Special-Purpose Reports on Internal Accounting Control at Service Organizations|
|SAS No. 48||July 1984||The Effects of Computer Processing on the Audit of Financial Statements|
|SAS No. 55||April 1988||Consideration of Internal Control in a Financial Statement Audit|
|SAS No. 70||April 1992||Service Organizations|
|SAS No. 78||December 1995||Consideration of Internal Control in a Financial Statement Audit: An Amendment to Statement on Auditing Standards No. 55|
|SAS No. 88||December 1999||Service Organizations and Reporting on Consistency|
|SAS No. 94||May 2001||The Effect of Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit|
|PCAOB No. 2||March 2004||An Audit of Internal Control over Financial Reporting in Conjunction with an Audit of Financial Statements. Note: Appendix B refers to Service Organizations.|
The Two Types of SAS70 Reports
It should be noted that there are two different types of SAS 70 reports. The first type commonly referred to as Type I includes an opinion that the service auditor wrote. Type I reports describe the degree in which the service organization fairly represents its services regarding controls that have been implemented in operations and its inherent design to achieve objectives set forth.
Type II reports are similar to Type I, however an additional section is added. The additional section includes the service auditor’s opinion on how effective controls operated under the defined period during the review (usually the defined period is six month, but can be longer).
There is a substantial difference between the Type I and Type II reports. Type II reports are more thorough because the auditors give an opinion on how effective the controls operated under the defined review period. Type I only lists the controls, but Type II tests the efficacy of these controls to reasonably assure that they are working correctly. Because Type II reports require a much more thorough audit, they are usually much more expensive.
Advantages of Using SAS 70 Reports from the Service Organization Perspective
While SAS 70 audits and reports can be costly and time consuming, they have definite advantages for service organizations that use them.
One of the many advantages is that it provides transparency and builds trust with its customers by having an unbiased third party verifying controls and operations independently. Since this report is extremely thorough and comprehensive, many users (customers) request it. One SAS 70 report can be sent to many customers, instead of having several individual audits being done for each specific customer.
Another advantage is that when an SAS 70 Type II Report is conducted, it can show many weaknesses or areas that can be improved. Sometimes these areas are not known to the service organization and steps can be taken to correct these weaknesses. In general, SAS 70 is a great way for a service organization to easily communicate its internal control and safeguard proficiency, making it a great marketing tool for differentiating one organization from another.
Advantages of Using SAS 70 Reports from the User Organization Perspective
SAS 70 Reports are extremely advantageous to user organizations because they can assess a service organization’s controls and safeguards. Reports that user organizations receive are full of details describing the service organization’s specific controls and in the case of Type II reports, whether the controls and safeguards are effective.
SAS 70 Reports are an important tool for the user organization’s auditors. It is mostly used when planning financial statements for the user organization. Not only does the SAS 70 Report provide important information, but it also off sets costs for the organization due to the fact that they will no longer have to send their own auditors to audit the service organization.