In today's global economy, technology service providers must demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers.
SAS 70 Overview
Statement on Auditing Standards (SAS) No. 70, Service Organizations, is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA). A SAS 70 is widely recognized, because it represents that a service organization has been through an in-depth audit of their control activities, which generally include controls over information technology and related processes.
SAS No. 70 is the authoritative guidance that allows service organizations to disclose their control activities and processes to their customers and their customers' auditors in a uniform reporting format. A formal report including the auditor's opinion ("Service Auditor's Report") is issued to the service organization at the conclusion of a SAS 70 examination.
Service organizations that provide such services could be application service providers, bank trust departments, claims processing centers, Internet data centers, or other data processing service bureaus.
Opportunity - Benefits to the Service Organization
Service organizations receive significant value from having a SAS 70 engagement performed. A Service Auditor's Report with an unqualified opinion that is issued by an Independent Accounting Firm differentiates the service organization from its peers by demonstrating the establishment of effectively designed control objectives and control activities. A Service Auditor's Report also helps a service organization build trust with its user organizations (i.e. customers).
Without a current Service Auditor's Report, a service organization may have to entertain multiple audit requests from its customers and their respective auditors. A Service Auditor's Report efficiently ensures that all user organizations and their auditors have timely access to the information that will satisfy the user auditor's requirements.
Opportunity - Benefits to the User Organization
User organizations that obtain a Service Auditor's Report from their service organization(s) receive valuable information regarding the service organization's controls and the effectiveness of those controls. The user organization receives a detailed description of the service organization's controls and an independent assessment of whether the controls were placed in operation, suitably designed, and operating effectively (in the case of a Type II report).
User organizations should provide a Service Auditor's Report to their auditors. This will greatly assist the user auditor in planning the audit of the user organization's financial statements. Without a Service Auditor's Report, the user organization would likely have to incur additional costs in sending their auditors to the service organization to perform their procedures.
Process Partners, LLC professionals have extensive experience in conducting both a SAS 70 Type I and Type II audit. The firm partners with selected CPA firms in providing the information technology, and IT general control documentation, assessment and testing expertise to ensure a timely and comprehensive Service Auditor's Report.
Our experience and skills in information technology, change management and risk management, are leveraged in our IT Assessment methodology to ensure that sustainable process changes and controls are established that will achieve key process goals. Our approach encompasses the following:
- Plan and Scope
- Conduct Risk Assessment
- Identify Significant Controls
- Identify Control Gaps & Remediate
- Document Controls
- Prepare Type I Report
- Plan Control Evaluation
- Conduct Tests
- Identify Deficiencies & Remediate
- Prepare Type II Report
Process Partners has completed over 40 IT control environment assessments, including SAS 70, SOX 404 and other compliance engagements for data centers, financial firms, and claims processing firms. Process Partners is a member of ISACA and uses CobiT as the control environment framework for SAS 70 engagements. CobiT is issued by the IT Governance Institute (ITGI®) in association with the Information Systems Audit and Control Association® (ISACA®).