1. What is a SAS 70?
Statement on Auditing Standards No. 70: Service Organizations, commonly abbreviated as SAS 70, is an auditing statement issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA), officially titled “Reports on the Processing of Transactions by Service Organizations”. It is an ‘auditor-to-auditor’ communication via a report.
A SAS 70 report – Type I or Type II – provides a uniform reporting format to give you independent assurance regarding the adequacy of the internal controls and safeguards that exist over your customer information and related business processes. The report will include: the opinion letter, a description of your control environment, the control objectives and the key controls in place to achieve those objectives, and for a Type II, testing of the effectiveness of these controls.
2. Why is there an increasing demand for SAS 70 reports?
SAS 70 took on increased importance with the introduction of the Sarbanes-Oxley Act (SOX), as well as the existence of HIPAA and other financial regulatory requirements. SOX adopted the COSO model of controls, which is the same model that SAS 70 audits have used since inception. SOX heightened the focus and regulation placed on understanding the controls over financial reporting and identified a Type II SAS 70 report as the only acceptable method for a third party to provide assurance regarding a service organization's controls.
3. What kinds of organizations would need a SAS 70 report?
Service organizations. A service organization is a company that provides a service to another company. If the service organization processes transactions or conducts other processes which significantly effect their customer’s financial statements, manages the customer’s transactions, or deals with private or sensitive data, it is likely that their customer’s auditors will request a SAS 70 report.
Some examples of service organizations include:
- Investment advisors
- Third party administrators
- Billing and payroll services
- Credit processors
- Application service providers (ASP’s)
- Software-as-a-Service providers (SaaS)
4. What is the difference between a Type I and Type II SAS 70 report?
A Type I audit consists of inquiry and observation of the controls within a service organization as-of a specified date. A Type II audit consists of inquiry, observation, and testing of the controls in place within a service organization over a specified period of time (a minimum of six months and most commonly twelve months).
For example, a Type I audit would inquire about and observe the controls as-of January 1, 200X and report that they were in place as-of January 1, 200X. A Type II audit would inquire about and observe the controls in place as-of January 1, 200X and test controls from January 1, 200X thru June 30, 200X.
5. How long is a SAS 70 report valid?
Generally, SAS 70 Type I and Type II reports are valid for one full calendar year after the date of issue.
6. How will a SAS 70 report help our organization?
- Strengthen your organization’s reputation.
- Assess the controls of your organization and how they are applied.
- Evaluate the proficiency of your management team.
- Improve your organizations marketing ability to generate new revenue.
7. What is included in an Sensiba San Filippo SAS 70 report?
- Our opinion, as independent accountants, on the design, implementation and effectiveness of controls at a service organization for a specific audit period.
- A description of the service organization’s control environment, its control objectives and the key controls that are in place to achieve those control objectives.
- Tests of operating effectiveness and the results of those tests.
- Information intended for use by the service organization, its customers, and its customer’s independent accountants.
8. What are the benefits of getting an Sensiba San Filippo SAS 70 report?
A SAS 70 will benefit your organization in many ways including:
- Independent, third-party assurance that adequate internal controls and safeguards exist over the customer information and related business processes.
- Demonstrating to your customers a commitment to sound internal controls, building trust and loyalty.
- Mitigating the strain on your internal resources by eliminating multiple visits from your customers’ auditors.
- Identifying opportunities for improvement in many operational areas.
A service team that delivers value!
