What Is Sas 70?

By Author: Will Spencer
Total Articles: 4762
Comment this article

SAS 70 is a well-known acronym that represents a detailed audit of a third-party service organisation. The original one is one of a multitude of statements issued periodically by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA). Generally, these statements modify existing auditing standards or introduce new standards. The passing of the Sarbanes-Oxley Act of 2002 meant that the Public Company Accounting Oversight Board (PCAOB) now also issues auditing standards for public companies. This is done on a go-forward basis.

An examination in accordance with it, performed by a service auditor is widely recognised as it shows that an in-depth audit of control objectives and control activities has been completed. Such an audit often includes controls over information technology and related processes. When service organisations or providers host pr process customer data, they must demonstrate in today’s global economy that they have sufficient controls and safeguards. Reporting on the effectiveness of internal control over financial reporting is highlighted in the ...
... requirements of Section 404 of the Sarbanes-Oxley Act of 2002, making SAS 70 audit reports even more important to the process.

With the guidance of it, service organisations can disclose their control activities and processes to customers and their auditors in a uniform reporting format. A service auditor’s report prepared in line with its demonstrates that an independent accounting and auditing firm has examined a service organisation’s control objectives and activities. At the conclusion of its examination, the service auditors report is issued to the service organisation, which includes the service auditor’s opinion.

An independent service auditor is able to gibe an opinion on a service organisation’s description of controls in a Service Auditor’s Report, with the guidance of it. It does not specify a pre-determined set of control objectives or control activities that an organisation must achieve. Auditors must follow the AICPA’s standards for fieldwork quality control and reporting. An audit done with it is not a ‘checklist’ audit.

If a user organisation obtains services from a service organisation then an independent auditor should apply for it, when planning its financial statement audit. Application service providers, bank trust departments, claims processing centres, data centres and third party administrators are examples of service organisation that have an impact on user organisation’s systems of internal controls.

As required in SAS 55, Consideration of Internal Control in a Financial Statement Audit, the auditor gains a sufficient understanding of the organisation’s control to plan the audit. An important step in the auditor’s approach is to identify and evaluate relevant controls an auditor of AICPA may need to obtain an understanding of the controls at the service organisation if it provides transaction processing, data hosting, IT infrastructure and other data processing services to the user organisation. In doing so, the auditor can effectively plan the audit and evaluate control risk.

A Service Auditor’s Report is one of the most effective ways of a serve organisation communicating information about its controls. There are two types of such report †Type I and Type II.
The description of a service organisation’s controls at a specific point in time is described in Type I. A service organisation’s description of controls and a comprehensive testing of a service organisation’s controls over a minimum six-month period, is detailed in Type II. The service auditor will express an opinion in a Type I report on whether a service organisation’s description of its controls is fairly presented, in all material respects, the relevant aspects of the service organisation’s controls that were in operation as at a specific date. The auditor will also have an opinion about the controls being suitable designed for achieving specified control objectives related to Sarbanes-Oxley Act of 2002.

These opinions are also expressed in a Type II report with the added opinion about whether the tested controls were operating effectively to prove reasonable assurance that during the specified period the control objectives were achieved.
About Author:
Sturat enjoys writing articles on topics like SAS 70 and SAS 70. Visit What Is SAS 70?.