Frequently Asked Questions:

Service Organizations and SAS 70 Compliance Requirements

There are a number of reasons why more and more organizations (i.e., service organizations) are being asked to become SAS 70 Type I and SAS 70 Type II compliant. Primarily, it stems from the growing surge of legislation, such as the passing of the following recent laws; the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Gramm-Leach-Bliley Act of 1999, but most notably, section 404 of the Sarbanes-Oxley Act of 2002 (SOX). Collectively, these rulings advocate protection of privacy, corporate accountability, and establishment of internal controls throughout organizations. Thus, a need was created in many industries for a due diligence process that can aggregate many of the principles found within these three acts and provide companies with a high level of assurance and confidence when using service organizations for outsourcing critical business functions. Current regulatory compliance indicators show a strong relationship between SOX and SAS 70, HIPAA and SAS 70 and GLBA and SAS 70.

Information Systems and Auditing

Moreover, the surge in technology being utilized in every facet of business has facilitated a need for watchful oversight and accountability around many of these information systems. Though Statement on Auditing Standards No. 70 (SAS 70) was not designed for, and is inherently not a technology audit, it has migrated into a compliance tool that can effectively examine and test a service organization’s information system components related to internal controls. Many transaction processing activities undertaken by today’s businesses have two common traits: they are assisted or conducted primarily by means of technology and they have internal controls built in and around them for ensuring their success. Because of this, SAS 70 audits, designed to report on controls placed in operation and the testing of these controls, can examine and report on these very controls, many which have information systems characteristics within them.

As a result, SAS 70 audits are widely becoming known as the "de facto due diligence document" throughout the country and the world regarding the reporting on a service organization’s internal controls.

Frequently Asked Questions

Services Organizations and SAS 70 Compliance Requirements
Which Industries Need to Gain Compliancy?
Advantages of SAS 70 Compliance
Criticisms Toward the Auditing Standard
Primary Differences between SAS 70 and IT Assessments
Who Can Conduct a SAS 70 Audit?
What are the Differences Between a Type I and Type II Audit?
What is the Expected Price of a SAS 70 Audit?
Which Areas of a Service Organization are Tested during an Audit?
What Industry Standards/Frameworks are Used for Conducting an Audit?
After Completion, What Deliverables are Received from the CPA Firm?
How Long is a Serivce Auditor's Report Valid For?
Do Service Organizations Need to be SAS 70 Compliant Every Year?
Who Uses and Reads a Service Auditor's Report and Why?
Do you have a Sample SAS 70 Download Available?

« Prev | Next »

Service Organizations and SAS 70 Compliance Requirements

Information Systems and Auditing

Frequently Asked Questions

3 Reasons to Choose NDB, LLP