SAS 70 (Statement on Auditing Standard 70)

SAS 70 has been replaced by SSAE 16 from 15 June, 2011. For more information please visit: SSAE 16 – Statements on Standards for Attestation Engagements 16.

What is SAS 70?

SAS 70 is an acronym for Statement on Auditing Standard 70; it was developed and is maintained by the AICPA (American Institute of Certified Public Accountants). Specifically, SAS 70 is a “Report on the Processing of Transactions by Service Organizations” where professional standards are set up for a service auditor that audits and assesses internal controls of a service organization. At the end of the audit, the service auditor issues an important report called the “Service Auditor’s Report”.

SAS 70 also describes the procedures for performing a service auditor’s examination (SAS 70 audit) of a service organization’s controls. At the completion of a SAS 70 audit, a service auditor’s report (SAS 70 report) is issued by the service auditor.

There are two types of SAS 70 reports:

  • Type I Reports
  • Type II Reports

SAS 70 Services

  1. SAS 70 Audit Type I & II Process
    • SAS 70 (Type I) Audit Process
    • SAS 70 (Type II) Audit Process
    • SAS 70 Type I & II compliance Services
    • Best Practices in Utilizing a Type II SAS 70

What is the significance of SAS 70 compliance?

  1. Safeguard client funds and information
  2. Ensure client transactions are complete, accurate, and timely
  3. Reconcile transactions for your clients
  4. It reduces their risk.  Risk management is being driven home hard with new accounting pronouncements.
  5. It reduces their audit and compliance costs.  It literally pushes the cost down their supply chain.

SAS 70 Type I Audit Certification

A Type I service auditor’s report includes the service auditor’s opinion on the fairness of the presentation of the service organization’s description of controls that had been placed in operation and the suitability of the design of the controls to achieve the specified control objectives.

SAS 70 Type II Audit Certification

SAS 70 Type II builds on the Type I report to also include an assessment of the effectiveness of the controls over a period of time, which is recommended to be no less than six months. Such a report can be used to provide evidence of the effectiveness of the controls in meeting stated objectives during the specified period.

Benefits of SAS 70 Compliance

Benefits to the Service Organization

  • Eliminates or mitigates repeat audits from users
  • Provides independent findings
  • Allows the service organization to meet contractual obligations
  • Provides a competitive advantage
  • Allows the service organization to respond to regulatory inquiries
  • Reduce disruption to operations through a single audit request for information.
  • Satisfy Service Level Agreements or contract provisions
  • Demonstrate leadership and market differentiation
  • Enhance business performance through value added recommendations
  • Provide additional comfort on risk, systems and controls to participants and business partners.

Benefits – Users

  • Provides information to assess the overall control environment for their (user) auditors
  • Satisfies client regulatory requirements
  • May control some audit costs
  • Provides time efficiencies to user auditors by already having information available/prepared
  • Provides a level of comfort over control consciousness of the service organization and its services

Other Benefits

The SAS 70 audit report allows the service organization to provide its customers with independent third-party verification about the state of the internal controls governing the integrity, reliability, effectiveness, and security of the processing services provided to user organizations.

The SAS 70 audit report can be used by user organization’s financial statement auditors as a substitute for those parties performing their own first-hand audit procedures.

Undergoing the SAS 70 audit distinguishes the service organization from its competitors.

The SAS 70 audit process can provide benefits similar to an internal audit function.

A SAS 70 audit can improve or sustain business relations between service providers and user organizations. It may be also viable to pass the costs of fees paid for the SAS 70 audit to the user organization.

Success with SAS 70

  1. Meet stringent auditors’ requirements to satisfy Statements on Auditing Standards (SAS 70)
  2. Company-wide monitoring of critical IT control processes.
  3. Acquired SAS 70 certification; improved quality of IT infrastructure; completed implementation of system in 3 months

SAS 70 For Whom

A SAS 70 review is applicable when elements of a company’s processes are performed by a service provider and the company:

  • Needs assurance over the system of internal controls at the provider because the services/transactions affect their financial statements.
  • Needs assurance that the service provider is fulfilling contractual obligations.
  • Wants to gain a better understanding of their role in controlling the process.

There are numerous types of services that may be performed by an outsourced service provider:

  • Payroll
  • Investment Management
  • Custody and Trust
  • IT Processing
  • Human Resources
  • Benefit Management
  • Web Hosting
  • Credit Card Processing
  • 401k Management
  • Telecommunications
  • Finance
  • Accounts Payable
  • Accounts Receivable
  • Commodity Trading Support

Contact us

Please feel free to contact us. We are looking forward to hearing from you!