Statement of Auditing Standards No.70

From The Secure Arc Wiki

Jump to: navigation, search

Information in italics below is referenced from wikipedia, reproduced in accordance with the GNU Free Documentation License.

Statement on Auditing Standards No. 70: Service Organizations, commonly abbreviated as SAS 70, is an auditing statement issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA), officially titled “Reports on the Processing of Transactions by Service Organizations”. SAS 70 defines the professional standards used by a service auditor to assess the internal controls of a service organization and issue a service auditor’s report. Service organizations are typically entities that provide outsourcing services that impact the control environment of their customers. Examples of service organizations are insurance and medical claims processors, trust companies, hosted data centers, application service providers (ASPs), managed security providers, credit processing organizations and clearinghouses.

There are two types of service auditor reports. A Type I service auditor’s report includes the service auditor's opinion on the fairness of the presentation of the service organization's description of controls that had been placed in operation and the suitability of the design of the controls to achieve the specified control objectives. A Type II service auditor’s report includes the information contained in a Type I service auditor's report and also includes the service auditor's opinion on whether the specific controls were operating effectively during the period under review.

The following information gives a brief account of the SAS 70 standard. Each requirement of the standard are broken down further into more specific sub-requirements that can be mapped back to both the Security Principles that drive them and the Design Patterns that satisfy them.

Standard Practice

Service auditor reports are growing in popularity and are being used by customers, prospective customers and financiers to gain an understanding of the control environment of outsourcing companies. In some cases, these third parties are not authorized users of the reports, but still use the report as third party independent verification that controls are in place and are operating effectively.

Every Service Auditor’s report contains an auditor’s opinion letter. The opinion letter is required to contain a paragraph that defines the authorized user of the report. Use of the report is typically restricted to the service organization’s management, its customers, and the financial statement auditors of its customers.

Licensing and Documentation

In May 2005, the AICPA released an Audit Guide entitled "Service Organizations, Applying SAS No. 70, as Amended". The audit guide is designed to provide the latest guidance to auditors of companies that use service organizations and service auditors that perform examinations of service organizations (i.e., SAS 70 audits). The 2005 audit guide also supersedes the previous SAS 70 Audit Guides and the Auditing Practice Release (APR) on SAS No. 70 from 1999. The audit guide can be ordered from the AICPA's web site at


Personal tools