SAS 70 Frequently Asked Questions (FAQ)

Who can perform a SAS 70 audit?  What should the service organization look for?

A SAS 70 audit can only be performed by an independent certified public accountant (CPA) or firm.  CPA firms that perform SAS 70 audits must adhere to specific professional standards established by the American Institute of Certified Public Accountants (AICPA).   Licensed public accounting firms are required to follow specific guidance related to planning, execution, and supervision of the audit procedures and the reporting of the results of the audit.  In addition, public accounting firms are required to undergo a peer review to ensure that their firm's audits are conducted in accordance with the applicable professional standards.  Specific practicing requirements may vary depending on the requirements of the applicable State Board and/or other governing bodies. The CPA firm, of course, may employ non-CPA professionals that have relevant business process, information technology, or security skills to participate in a SAS 70 engagement.  However, the final report must be reviewed and issued by a CPA.  This is particularly important if a user organization's auditors plan to rely on the results of service auditor's tests of operating effectiveness. There is currently no specific list of authorized SAS 70 service audit providers.  However, a good place to start is a nationally recognized public accounting firm.  When a service organization selects an audit firm to perform their SAS 70 audit, the service organization should consider the following:

• Experience in performing SAS 70 audits (i.e., service auditor's examinations) 
• Relevant industry experience (e.g., financial services, technology, telecommunications, health care, etc.) 
• Skilled audit professionals that understand the businessa and information technology (IT) controls and processes 
• Availability of resources (i.e., bandwidth to deliver the services on time) 
• Project management skills

SAS 70 audits can significantly impact your company’s operations and market position, making successful management of the SAS 70 critical.  Our experience and expertise in conducting SAS 70’s will ensure the process is executed smoothly and as unobtrusively as possible, having little impact on your organization’s operations.

What are the contents of a SAS 70 report?
SAS 70 reports (Service Auditor's Reports) are generally divided into three or four sections depending on the type of engagement performed.  There are two types of Service Auditor's Reports: Type I and Type II.

A Type I report describes the service organization's description of controls at a specific point in time (e.g. June 30, 2000).  A Type II report not only includes the service organization's description of controls, but also includes detailed testing of the service organization's controls over a minimum six month period (e.g. January 1, 2000 to June 30, 2000). 

How can a service provider prepare for a SAS 70 audit?
A service provider can do many things to prepare for a SAS 70 audit engagement.  Defining control objectives and identifying related control activities is an important step in the SAS 70 audit process.  Many service providers will engage a professional services firm with a background in both financial auditing and IT auditing to assist with drafting the control objectives and evaluating the existing control activities.  This allows the service provider to determine if any improvements need to be made with respect to the control environment prior to the start of the actual SAS 70 audit.

If the service provider has an internal audit department, the internal auditors could also assist with developing the control objectives and documenting the related control activities.  Internal audit can also periodically evaluate and test some of the controls that may be tested as part of the SAS 70 audit to determine if improvements need to be made. 


How does a service organization "pass" or "fail" a SAS 70 audit?
At the conclusion of a SAS No. 70 service auditor's examination ("SAS 70 audit"), the service auditor renders an opinion on the following: 

1. Whether or not the service organization's description of controls is presented fairly.
2. Whether or not the service organization's controls are designed effectively. 
3. Whether or not the service organization's controls are placed in operation as of a specified date. 
4. Whether or not the service organization's controls are operating effectively over a specified period of time. (Type 2 only)
   
   When the service auditor concludes that the above items have been accomplished, the service auditor renders what is referred to as an "unqualified opinion."  While a SAS 70 audit is technically not a "pass" or "fail" audit, the receipt of an unqualified opinion from the service auditor is often referred to as "passing" the audit.
   When the service auditor's procedures reveal exceptions or control deficiencies, the service auditor may conclude that a control objective could not be achieved due a design deficiency or an operating effectiveness deficiency.  When this occurs, the service auditor will "qualify" the opinion to indicate that a control objective could not be achieved.  The receipt of a qualified opinion from the service auditor is sometimes referred to as "failing" the audit.  This view of audit failure is also technically not accurate, because a qualified opinion does not necessarily imply that other control objectives could not be achieved.  For example, a service organization might have 15 control objectives, and the service auditor may conclude that one (1) of the 15 objectives could not be achieved.  While the opinion would be "qualified", the other 14 objectives would be achieved, and would still be of benefit to the users of the service organization.

How often does a SAS 70 audit need to be renewed?  Does a SAS 70 audit ever expire?
A service auditor's examination report ("SAS 70 audit report") is generally as of a point-in-time (e.g., September 30, 20xx) and, in the case of a Type 2 audit, will cover a specified period of time (e.g., January 1, 20xx to September 30, 20xx).

Most service organizations will have the SAS 70 audit conducted annually, because the user organizations and their auditors will need assurance that the service organization's controls are operating effectively for the current fiscal year of the user organization.  There is no "SAS 70 renewal" from the standpoint of the service organization simply paying a fee to extend the results of their original SAS 70 audit.  The service auditor must conduct a full and complete audit each year and report on the results.  The description of controls in the service auditor's report may look the same from year-to-year, but the service auditor's procedures and/or tests will be new every year.

The PCAOB has elected not to establish any "bright lines" around when a SAS 70 audit report is no longer relevant or useful (refer to FAQ #25 in the PCAOB June 23, 2004 Staff Questions & Answers document).  For public companies, it is up to the individual user organization and user auditor, respectively, to determine if the information contained in the SAS 70 audit report is current enough for purposes of management's assessment and for the planning of the user auditor's procedures.


Is there a list of SAS 70 standards, control objectives, or checklists?
Since service organizations are responsible for describing their controls and defining their control objectives, there is no published list of SAS 70 standards.  Generally, the control objectives are specific to the service organization and their customers.

However, there are some great sources of control objectives and other published standards that can be used to prepare for a SAS 70 audit or another type of third party assurance.
The Information Systems Audit and Control Association (ISACA) publishes a set of control objectives referred to as "CoBIT".  Information on CoBIT and how to purchase the latest editions are on the ISACA website at http://www.isaca.org.

Another great source of guidance is the WebTrust Principles and Criteria and the SysTrust Principles and Criteria.  Both are available from the AICPA website and can be downloaded for free at http://www.aicpa.org/assurance.  Each principle has specific criteria elements and illustrative controls that can serve as a baseline for your organization.


Is there a baseline standard for how a service organization should disclose its controls?
Yes and No.  Service organizations are permitted to disclose their control objectives and activities in any manner they see fit.  However, for a SAS 70 audit engagement to be of maximum benefit to the user organizations (i.e. customers) and their auditors, the service organization should disclose their controls in a manner that satisfies the user auditor's requirements.  To do this, the service organization's description of controls should address key components of internal control as defined in SAS No. 55, Consideration of Internal Control in a Financial Statement Audit: 

1. Control Environment sets the tone of an organization, influencing the control consciousness of its people. The control environment is the foundation for all other components of internal control, providing discipline and structure.
2. Risk Assessment is the entity's identification and analysis of relevant risks to the achievement of its objectives, forming a basis for determining how the risks should be managed.
3. Information and Communication are the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities.
4. Monitoring is the process that assesses the quality of internal control performance over time.