White Papers provided by the SAS 70 Resource Guide

SAS 70 Primer

Statement on Auditing Standards No. 70, known to many as simply SAS 70, has had a brief, yet storied career. Introduced in 1992, it was essentially the culmination of a number of previous auditing standards, notably SAS 44 and SAS 55 that led to its creation. Within the American Institute of Certified Public Accountant's (AICPA) Codification of Statements on Auditing Standards AU 324, the SAS 70 auditing standard is used for reporting on controls placed in operation and tests of operating effectiveness of these very controls. The language, which can be somewhat cumbersome and technical to digest for the average laymen, provides guidelines and recommendations auditors should use, implement, and undertake when conducting SAS 70 audits. So is SAS 70 an audit, a standard, a process? It's all of these. Think of it as an audit that examines and tests the characteristics of internal controls for service organizations. Service organizations are simply the entity that undergoes the SAS 70 audit. So who's requiring the audit to be done and why? Generally speaking, the wave of compliance legislation that has come from the halls of our nation's capital as of recent years has revolved heavily around corporate governance and the ability to have a strong mechanism of internal controls within organizations. Laws such as the The Sarbanes-Oxley Act of 2002 (SOX), the Health Insurance Accountability and Portability Act (HIPAA), and the Gramm-Leach Bliley Act (GLBA), just to name a few, have preached themes such as governance, privacy, security, confidentiality, and segregation of duties. Within these legislative ruling, particularly SOX, certain standards must be adhered to for ensuring the baseline goals of these laws are being met, thus a direct relationship can be seen between SOX and SAS 70, including HIPAA and SAS 70 and also GLBA and SAS 70.

Type I and Type II Audits

Initially, service organizations undergo a SAS 70 Type I audit, gradually migrating towards Type II compliance in subsequent years. The main difference between the two "types" (I vs. II) is that a Type II requires a "testing period", that is, a generally accepted allotted time frame (usually no less than six months) for conducting testing on a service organization's control environment. A Type I, on the other hand, is just for a specified date, with no testing period whatsoever. Service organizations considering a SAS 70 audit should review important facts about the auditing standard, along with learning more about SAS 70 pricing and what's in a report. Interested readers can also download a sample SAS 70 report for educational purposes.