What is SAS 70? | Definition & Overview

SAS 70 Type I and Type II audits have been used extensively since the auditing standard’s inception in 1992. Used to report on controls placed in operation (SAS 70 Type I) and tests of operating effectiveness (SAS 70 Type II), this audit has gained recent prominence due to the wave of regulatory compliance legislation that has ushered from the halls of our nation’s Congress. Most notable, Sarbanes Oxley, simply known as SOX, essentially revived the auditing standard overnight. Sure, the auditing standard was being used, but the growth between 2003 and 2008 has been unbelievable, to say the least.

So what is a SAS 70? Well, it’s an auditing standard put forth by the AICPA that is utilized by auditors for examining internal controls in service organizations. Service organizations are the host of companies that provide critical, third-party outsourcing services to other companies. Common service organizations are payroll companies, medical claims and benefits processing providers, data centers, Software as a Service (SaaS) entities, just to name a few.

As companies continue to outsource, service organizations will continue to grow, and so will the need to examine the internal control environment of these very service organizations. From this simple scenario, one can clearly see how the growth of SAS 70 audits occurred and why the auditing standard is here to stay.

So what’s the definition of SAS 70?

Statement on Auditing Standards No.70 (SAS 70) is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA) in 1992. It is used to report on the “processing of transactions by service organizations”. A SAS 70 Type I is known as “reporting on controls placed in operation”, while a SAS 70 Type II is known as “reporting on controls placed in operation” and “tests of operating effectiveness”.