SAS 70 Audit Report Contents

SAS 70 Reports contain a mixture of information from both the auditors conducting the audit (service auditors) and the organization undergoing the audit (service organization). As with all SAS 70 audits, differences will appear in the final deliverable as to what the exact contents are in the final SAS 70 report. As such, listed below are elements that should be included in every SAS 70 report, as defined by the auditing standard, along with general guidelines and suggestions for additional information that may be included in a SAS 70 Type I or SAS 70 Type II report.

The Independent Service Auditor's Report

This document, typically a two to three page statement, essentially contains the expression of an opinion by the service auditor who has conducted the SAS 70 engagement on the service organization. It is a requirement for all SAS 70 reports. Slight differences exist between the The Independent Service Auditor's Report (i.e., also called the "The Independent Accounts Report" or simply the "opinion letter") for a SAS 70 Type I and a SAS 70 Type II, as a Type II must make certain disclosures regarding the tests of operating effectiveness for a specified time period. Download a sample SAS 70 to gain a greater understanding of the "opinion letter".

Description of Controls Provided by the Service Organization

Also a requirement for SAS 70 reports, this section should provide adequate and sufficient information for user auditors and other intended users of the report to clearly understand a service organization’s control environment. The core components of the control environment, known as the five elements of internal control are the following: Control Environment, Risk Assessment, Control Activities, Information/Communication and Monitoring. Additionally, this section should also provide information on how the service organization’s processing and operational activities affect and interrelate to these five elements of internal control. This is where the stark differences will appear in SAS 70 reports, giving rise to the criticism of SAS 70 audits. Thus, a service organization should have a SAS 70 roadmap in place for completing the audit and for ensuring its completeness and quality of content.

Other Notable Sections within a SAS 70 Report

• User Control Considerations
• Information Provided by the Service Auditor
• Tests of Operating Effectiveness and Results of Testing provided by the Service Auditor (Type II Reports)
• Additional Information Provided by the Service Organization
• Exceptions Noted During Testing and Management's Responses to those Exceptions
• Additionally, SAS 70 Reports may contain detailed narratives on the business process, a discussion of application controls, and other information that assist intended users of the report when examining it.

You can download a sample SAS 70 to view these additional sections and the information contained within them.