SAS70 Audit Complaints

Criticism towards the SAS70 audit standard has centered around two main elements. First, the looseness in the auditing standard itself, which has resulted in SAS 70 Service Auditor’s Reports having a great degree of variance when reading and inspecting the overall contents of the report. One would think that a SAS70 audit process and the final report, for a particular industry, such as financial services, would have a very similar, if not identical look and feel to it for many of the activities and sections within the audit report itself. Unfortunately, this is not the case. The reasons are many, but primarily it stems from auditors having different approaches, such as how audit scope is determined, what analysis is used for determining frequency of testing, population, sampling, and other notable attributes. Many consider the criticism to be considered fair and just, calling for the standard to be tightened, with stricter guidelines on a number of issues.

A SAS70 Audit is for Compliance

Second, SAS 70 audits have been criticized because of their heavy use in industries which place a high reliance on information technology. As such, I.T. experts have complained that the audit lacks weaknesses in testing I.T. controls and is an insufficient audit not properly geared towards the complex information systems infrastructure in today’s business world. A SAS70 audit is not a technology audit, rather it is a compliance audit that examines the characteristics of internal controls as it relates to service organizations. The auditing standards original intent was not for it to be an I.T. audit, and as such, it is not. It does, however, have the ability to test the internal control framework surrounding the technology platform of a service organization, if that service organization is heavily dependent on information systems.

Accountants and their Technology Skill-sets

Moreover, accountants and auditors are now obtaining technology certifications (i.e., CISA, CISSP, CompTIA), which coupled with a CPA license, makes these individuals well-skilled to perform any type of internal control testing related to information systems. Service organizations who find they do not need a SAS 70 audit would be better served engaging with a technology consulting firm who conducts specialized technology testing, such as penetration testing and vulnerability assessment activities.