SAS 70 stands for Statement on Auditing Standards No. 70. It is an auditing standard that was
adopted by the American Institute of Certified Public Accountants and is widely recognized in the
auditing of service organizations. An auditor performs an audit on a service organization and that
audit is conducted in a way that is compliant with SAS 70. It is that standard statement that says a
service organization has been through an extensive audit
This extensive audit measures is that the organization data centre has total
control and has safeguards in place that does not compromise any data that they process for their
customers. In other words, the job of the audit is to evaluate every aspect of the service
organization that handles customer data or could result in a possible leak of customer data.
SAS 70 is necessary for the following reasons:
- It serves as a guide to service organizations when disclosing to their customers how it is they
protect their information and how well they do it. The audit results are organized in a report that
is easy to follow.
- It is not a checklist audit, but serves as a guide to independent auditors to form an opinion on
how well the organization is utilizing their internal controls. There are certain standards that
must be met during the audit.
- Provides a set of standards in which the auditor can perform a financial statement audit.
All of the information that is gathered is compiled into two types of reports. These reports are
called Type I and Type II.
Type I report
A type I report takes the organizations description of their own controls at a certain point in time
and describes those descriptions. The report includes the report by the independent auditor, which
is simply the auditor?s opinion, and it includes the organization?s descriptions of their internal
controls. There are parts of the report that are optional such as tests that are performed by the
auditor and the auditor recording the results of those tests. Another optional area is the inclusion
of any other information that the organization provides the auditor about its controls.
Type II
The type II report is similar to the type I report in a lot of ways. The main difference is that it
is mandatory for the auditor to perform tests and record the results of those tests. This is
optional with type I. All of the other areas of evaluation remain the same and the inclusion of
additional data by the organization is still optional.
How the organization benefits
The organization benefits from SAS 70 because it is receiving an
unbiased opinion from the outside regarding the security and the effectiveness of its financial and
customer-related controls. In turn, the organization can then work on any areas of weakness, which
means that the customers can feel more secure about who they are doing business with. This builds a
trust with customers when they know that their financial and/or personal information with the
organization are secure. It lets them know who they can turn to when they need what the service
organization has to offer.
Also, a service organization that has regular audits performed is an organization that has a long
business life ahead of it. As stated before, customers will turn to a secure organization to do
business. That means the organization is ensuring itself a long life as long as regular audits are
performed to ensure the security of their internal controls. Keeping up with their controls can also
save them money from having to eventually bring their controls up-to-date.
