SAS 70 Assessment Services

SAS 70 has been replaced by SSAE 16 from 15 June, 2011. For more information please visit: SSAE 16 – Statements on Standards for Attestation Engagements 16.

What is SAS 70 Assessment Services?

In today’s global industry economic, service organizations or service providers are required to demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers.

Statement on Auditing Standards (SAS) No. 70, Service Organizations, is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA) for reporting design and operational effectiveness of a service organization’s internal controls over processing transactions.

SAS No. 70 enables service organizations to disclose their control activities, their effectiveness and processes to their customers and their customers’ auditors in a uniform reporting format.

So, if you are a serious IT/BPO service provider with clientele in US – give us a call so that we can help you obtain a competitive advantage to your services – by either providing you with an independent Third Party Audit Report (TPA) and / or a full fledged SAS 70 Certification

Objective of SAS 70 Assessment service

The SAS no.70 report was designed to enable user auditors to obtain an understanding of controls over activities, processes and functions performed at a service organization that are part of a user organization’s information system. AICPA generally accepted auditing standards require auditors to obtain an understanding of an entity’s internal control sufficient to plan the audit. This understanding should encompass controls placed in operation by the entity and by service organizations whose services are part of the entity’s information system. If the user auditor determines that the service organization’s controls are significant to the user’s internal control, the user auditor should gain a sufficient understanding of these controls to plan the audit (as required by SAS no. 55, Consideration of Internal Control in a Financial Statement Audit, as amended.) (Note: SAS No. 55 will be superseded by a new standard in early 2006.) The user auditor can gain this understanding by performing specified procedures at the service organization, or if a service auditor’s report is available, by reading the service auditor’s report, the description of controls, and the results of the service auditor’s procedures. The user auditor should link controls at the service organization to assertions in the user organization’s financial statements. The user auditor should read the service auditor’s report to make sure it addresses the controls that are relevant to the specific service provided to the user organization.

Why get a SAS 70 audit?

Some reasons that service organizations are asked to be compliant include:

Fore mostly, the principal reason is often a requirement of an organization seeking to outsource their critical business functions to service firms. But underneath their requested audit, recent legislated rulings, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Gramm-Leach-Bliley Act of 1999, and most notably, the Sarbanes-Oxley Act of 2002 (SOX) have advocated protection of privacy, corporate accountability, and establishment of internal controls throughout organizations. Thus, a need was created in many industries for a due diligence process that can aggregate many of the principles found within these three acts and provide companies with a high level of assurance and confidence when using service organizations for outsourcing critical business functions.

Moreover, advances in technology utilized in nearly all significant business activity has raised the need for watchful oversight and accountability around many of these information systems. Many transaction processing activities undertaken by today’s businesses have two common traits: they are assisted or conducted primarily by means of technology and they have internal controls built in and around them for ensuring their success.

While the AICPA’s Statement on Auditing Standards No. 70 was not designed as a technology audit, it has become an effective compliance tool for examining and testing a service organization’s information system and its related internal controls.

SAS 70 Assessment Service Methodology

Our Methodology of SAS 70 Assessment is as follows:-

Focus to achieve SAS 70 compliance in 06 to 12 months period of time.

  1. Gap Analysis & Readiness Assessment
  2. Pre Audit
  3. Pre Audit Report
  4. Type-I Audit
  5. Type-I Audit Report
  6. Type-II Audit
  7. Type-II Audit Report

For detail information visits the following Audit patterns:-

  1. SAS 70 (Type I) Audit Process
  2. SAS 70 (Type II) Audit Process
  3. SAS 70 Type I & II compliance Services
  4. Best Practices in Utilizing a Type II SAS 70

Benefits of SAS 70 Assessment Service

A SAS 70 audit offers many potential benefits to service organizations. We have found that some clients indicate such benefits as the following:

  1. The SAS 70 audit report allows the service organization to provide its customers with independent third-party verification about the state of the internal controls governing the integrity, reliability, effectiveness, and security of the processing services provided to user organizations.
  2. The SAS 70 audit report can be used by user organization’s financial statement auditors as a substitute for those parties performing their own first-hand audit procedures.
  3. Undergoing the SAS 70 audit distinguishes the service organization from its competitors.
  4. The SAS 70 audit process can provide benefits similar to an internal audit function.
  5. A SAS 70 audit can improve or sustain business relations between service providers and user organizations. It may be also viable to pass the costs of fees paid for the SAS 70 audit to the user organization.

How can DQS help with your SAS 70 Assessment?

Our Methodology of Assessment is Plan, Audit, Execute and Manage.

See Also: