What is Statement on Auditing Standards: Service Organizations No. 70 (SAS 70)?
Find resources designed to help you get the most from Replicon
Statement on Auditing Standards No. 70: Service Organizations, commonly abbreviated as SAS 70, is an auditing statement issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) with its content codified as AU 324. SAS 70 provides guidance to service auditors when assessing the internal controls of a service organization and issuing a service auditor’s report. SAS 70 also provides guidance to auditors of financial statements of an entity that uses one or more service organizations. Service organizations are typically entities that provide outsourcing services that impact the control environment of their customers. Examples of service organizations are insurance and medical claims processors, trust companies, hosted data centers, application service providers (ASPs), managed security providers, credit processing organizations and clearing houses.
There are two types of service auditor reports:
A Type I service auditor’s report includes the service auditor's opinion on the fairness of the presentation of the service organization's description of controls that had been placed in operation and the suitability of the design of the controls to achieve the specified control objectives.
A Type II service auditor’s report includes the information contained in a Type I service auditor's report and also includes the service auditor's opinion on whether the specific controls were operating effectively during the period under review. The SAS 70 Type 2 audit is the standard for third party testing in conjunction with Sarbanes-Oxley compliance. Replicon-hosted Web TimeSheet has passed a SAS 70 Type 2 audit ensuring reliability and security for customers facing increased pressure for corporate governance and security.