SAS 70 Definition
Statement on Auditing Standards No.70 (SAS 70) is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA) in 1992. It is used to report on the "processing of transactions by service organizations", which can be done by completing either a Type I or a Type II audit. A SAS 70 Type I is known as "reporting on controls placed in operation", while a SAS 70 Type II is known as "reporting on controls placed in operation" and "tests of operating effectiveness".
The Origin of SAS 70
One can trace the roots of SAS 70 back to previous auditing standards, such as SAS 44, SAS 55, and even further back, starting with auditing procedures, known as SAPs. Understanding the history and overview of SAS 70 will help shed light on this widely used auditing standard.
Type I and Type II Audits
Thus, the distinct difference between a Type I and Type II SAS 70 Service Auditor’s Report is the time period for which the audit was attested for. Type I audits are for a specific date in time (i.e. April 1, 2008), while a Type II Audit has an industry recognized test period of at least six (6) months (i.e. April 1, 2008 to September 30, 2008), though circumstances arise where Type II audits can be shorter than six months, along with having a test period longer than six months.
Service Auditor's Report
The final deliverable for the audit is commonly called the SAS 70 Service Auditor’s Report, a lengthy document which contains a multitude of information regarding the service organization, its overall control structure, framework, test of controls (if a Type II audit), along with adjunct and supporting documentation, such as the Independent Accountant (or Service Auditor’s) Report, possible exceptions noted during testing, and any additional information provided by the service organization.
Many people refer to the final deliverable of a SAS 70 audit as the SAS 70 report, certification, compliance document, or a number of other terms and phrases. In truth, any of these terms are considered reasonably acceptable as long as they distinguish between a Type I and Type II audit report.
To view a sample audit report in its entirety, you can download a sample SAS 70 report.