SAS 70 FAQs
What is a SAS 70?
SAS (Statement on Auditing Standards) No. 70 is the authoritative guidance issued by the American Institute of Certified Public Accountants (AICPA) that allows service organizations to disclose their control activities and processes to their customers and their customers’ auditors in a uniform reporting format. A SAS 70 examination signifies that a service organization has had its control objectives and control activities examined by an independent accounting and auditing firm.
SAS No. 70 also provides guidance on the factors that an independent auditor should consider when auditing the financial statements of an entity that uses a service organization to process certain transactions. It also provides guidance for independent auditors who issue reports on the processing of transactions by a service organization for use by other auditors. A SAS 70 report is also referred to as a Service Auditor’s report.
Who needs a SAS 70 Service Auditor’s report?
A SAS 70 Service Auditor’s report is typically required by companies (“user organizations”) and their auditors (“user auditors”) that obtain significant services from another organization (“service organization”). Service organizations provide services to another corporation. Service organizations are often handling sensitive or private data and potentially conducting transactions with this data. Examples include: application service providers, claims processing centers, real estate title and closing companies, bank trust departments, payroll and billing service providers, investment management firms, market research firms, Internet data centers, or other data processing service bureaus.
What are the benefits to a service organization in obtaining a SAS 70 Service Auditor’s report?
- Obtaining a SAS 70 Service Auditor’s report differentiates the service organization from its peers by demonstrating the establishment of effectively designed control objectives and control activities.
- A SAS 70 Service Auditor’s report ensures that all user organizations and their auditors have access to the same information, and in many cases, will satisfy the user auditor’s requirements.
- Absence of a current SAS 70 Service Auditor’s report means that a service organization may have to entertain multiple audit requests from customers and their respective auditors. Multiple visits from user auditors can place a strain on the service organization’s resources.
Who will use a SAS 70 Service Auditor’s report?
The auditors of the service organization’s customers can use the SAS 70 Service Auditor’s report to gain an understanding of the internal controls in operation at the service organization. SAS 70 Service Auditor’s reports can be used by the user organizations’ auditors to assess internal control risk for the purposes of planning and executing their financial audit.
Are there different types of SAS 70 reports?
Yes. There are two types of SAS 70 reports – a Type I and a Type II report.
- A Type I Service Auditor’s report is issued for a particular date, and states that the control objectives are in operation and that the supporting controls are suitably designed to achieve the objectives as of that date. However, in the course of performing a Type I engagement, the service auditor does NOT test the operating effectiveness of controls. Thus, a limitation of a Type I Service Auditor’s report is that the user auditor cannot rely on the report to reduce assessment of control risk below the maximum.
- A Type II Service Auditor’s report is issued covering a period of time, and states that the control objectives are in operation as of a specified date, and that the supporting controls are suitably designed to achieve the objectives. It also states that the controls were tested and were operating with sufficient effectiveness to provide reasonable assurance that control objectives were achieved during the specified period. Type II Service Auditor’s reports may be used by user auditors to reduce assessment of control risk below the maximum.
What are the contents of a SAS 70 Service Auditor’s report?
There are typically four sections of a SAS 70 Service Auditor’s report as detailed in the table below:
| Section | Name | Responsibility |
| Section I | Independent Service Auditor’s Report | Service Auditor |
| Section II | Service Organization’s Description of Controls | Service Organization |
| Section III | Control Objectives, Related Controls and Tests of Operating Effectiveness | Service Auditor |
| Section IV | Other Information Provided by the Service Organization | Service Organization |
How long is a SAS 70 report valid?
SAS 70 Type I and Type II reports do not technically expire. However, your client’s auditor may or may not choose to rely on the report, based on the amount of time that has passed since the period covered by the Service Auditor’s report. Management of service organizations may issue an update letter stating that management has incurred no changes to the control environment since the date covered by the Service Auditor’s report. User auditors will have to use professional judgment to determine the extent of reliance on Service Auditors’ reports.
What is Statement on Standards for Attestation Engagements (SSAE) No. 16?
SSAE No. 16, Reporting on Controls at a Service Organization, supersedes the guidance for service auditors within SAS 70 and is effective for Service Auditors’ reports for periods ending on or after June 15, 2011. SSAE No. 16 contains the requirements and guidance for a service auditor reporting on a service organization’s controls. Key changes that service organizations should be aware of include a requirement that management of the service organization provide a written assertion, and that management identify risks that threaten the achievement of the control objections stated in the description of the service organization’s controls.