The Statement on Auditing Standards (SAS) No. 70 is one of the recognized auditing standards that was developed to audit organizations. It is so successfully recognized because it demonstrates that the organization went through a very in-depth audit of the different controls of the organization-control objective and control activities to be specific. Because of the way the economy has become so global today, it is increasingly important to customers to know where their data is being hosted or processed so that they know it is safe.

When an organization has a SAS No. 70, it shows to their customers that they have followed the very authoritative guidance that was put forth by the audit. This is meant to provide a sense of ease for the customer because they can understand that their data is safely guarded and not in fear of being compromised. On top of that, at the end of the entire audit, the auditor provides an opinion on the organization's controls of everything.sas 70 compliance

What is important to understand is that the SAS 70 audit is not a checklist type of audit, but instead, is more subjective. The auditor follows the AICPA's standards for reporting, but each auditor is different on how they approach SAS 70.

Types of SAS No. 70 Reports

There are two types of SAS No. 70 reports. The first one is known as Type I Report. This one is used to explain the service organization's control descriptions at any specific period of time such as September 22, 2003. A Type II Report, though, includes all the information from a Type I Report, but on top of that, provides testing of the organization's controls over a period of six months or more, but minimally, six months.

A Type I Report has the service auditor expressing an opinion on two things:

  1. How fair the organization's description of its controls are.
  2. Are the controls designed to achieve control objective.

A Type II Report does the same thing as a Type I Report; however, it takes a step further by then asking the question of whether the controls had sufficient effectiveness. More importantly, the auditor is going to want to check to ensure that, over a period of time, such as the minimum six months, that the controls are running as effectively as possible.

Why Get a SAS 70?

The fundamental reason why service organization should get a SAS No. 70 is because it saves time. The SAS 70 is well respected and widely used as a form of auditing a service organization's controls. If the organization doesn't use it, each customer might request for an audit which is an incredible waste of time. On top of that, if an auditor visits multiple times, resources can be strained which decreases productivity.

Finally, because the controls are being evaluated and tested by an auditor, it typically results in an opportunity for the organization to improve on many of its operational areas. So, the audit gives the organization more respect, but on top of that, it allows for the organization to further develop its operations.