July 13, 2008

SAS 70 Audit & Overview Presentation | Part IV Tutorial

Filed under: Uncategorized — Tags: , , , , , , , , , , , , , , — Charles Denyer @ 1:18 pm

So whats in a SAS 70 report and what type of information does it contain? Many organizations who have never gone through a SAS 70 Type I or Type II audit often ask that question. What’s more, because the SAS 70 auditing standard has a large amount of flexibility and looseness, one report can look considerably different from another.

However, even with that said, there should be a large number of areas and sections that should be consistent within each report, whether it be a SAS 70 Type I or a SAS 70 Type II audit.

Let’s take a look at the key features that should be included in a SAS 70 Type II audit report.

  • Independent Service Auditors Report-This is common technical language that gives readers an overall understanding of the audit, such as the opinion received, the testing period, and many other important clauses and pronouncements.
  • Description of Controls Provided by the Service Organization-A rather vague title for an area that encompasses quite a bit of information. Within this area, the service organization can describe it’s core products and services, organizational overview along with a description of the five elements of internal control that the organization exudes.
  • User Control Considerations-These are essentially considerations that help lay accountability on user organizations and other companies that service organizations have a professional relationship with. In essence, certain controls need to be in place at other entity’s for the controls at service organizations to be effective.
  • Information Provided by the Service Auditor-A brief description of the testing procedures used along with other common audit verbeage.
  • Tests of Operating Effectiveness and Results of Testing provided by the Service Auditor (Type II Reports)-Generally, speaking, this is a matrix style grid which details the testing and results of testing, along with any noted exceptions.
  • Additional Information Provided by the Service Organization-The service organization can wish to provide additional information about their company if they choose. As of late, most organizations give a brief overview of the Business Continuity Plan.
  • Exceptions Noted During Testing and Management’s Responses-Any exceptions noted during testing will be listed here, along with management’s response to why these exceptions occurred.
  • Additionally, SAS 70 Reports may contain detailed narratives on the business process, a discussion of application controls, and other information that assist intended users of the report when examining it.

To learn more about SAS 70 Type I and Type II report where you can obtain SAS 70 sample reports for educational reading, visit the official SAS 70 Resource Guide to find out more about this highly specialized auditing standard. The next time somebody asks you what is SAS 70, you will know.

No Comments »

No comments yet.

RSS feed for comments on this post. TrackBack URL

Leave a comment



Blog Navigation

Subscribe

Fill out the form below to become a subscriber to the SAS 70 Resource Guide Newsletter. Your information will never be shared with any third-party vendor or company.

For the latest information about SAS 70, subscribe to the SAS 70 Resource Guide News Feed by following the links below.

RSS | atom

about feeds

SAS 70 Google News Alert Widget provided by Grazr