SAS 70 FAQ

What is SAS 70?
What is SAS 70 Type I Certification?
What is SAS 70 Type II Certification?
Why does Sabrix have a SAS 70 Type I Certification?
Who can perform a SAS 70 audit? What should the service organization look for?
Is there a baseline standard for how a service organization should disclose its controls?
Can a software company be SAS 70 “certified”?

What is SAS 70?

SAS 70 (Statement on Auditing Standard 70) is a standard by American Institute of Certified Public Accountants (AICPA), titled “Reports on the Processing of Transactions by Service Organizations”. SAS 70 defines the professional standards used by a service auditor to assess the internal controls of a service organization and issue a service auditor’s report. Service organizations are typically entities that provide outsourcing services that impact the control environment of their customers.

What is SAS 70 Type I Certification?

A Type I service auditor’s report includes the service auditor’s opinion on the fairness of the presentation of the service organization's description of controls that had been placed in operation and the suitability of the design of the controls to achieve the specified control objectives.

What is SAS 70 Type II Certification?

SAS 70 Type II builds on the Type I report to also include an assessment of the effectiveness of the controls over a period of time, which is recommended to be no less than six months. Such a report can be used to provide evidence of the effectiveness of the controls in meeting stated objectives during the specified period.

Why does Sabrix have a SAS 70 Type I Certification?

Type II audits are typically engaged in when transactions, particularly monetary transactions, are handled in an outsourced environment such as that represented by ASPs and online merchants. On the other hand, tax research service providers do not engage in monetary transactions and thus a Type I audit is typically deemed appropriate to formally establish the scope and strength of the provider’s controls.

Who can perform a SAS 70 audit? What should the service organization look for?

A SAS 70 audit can only be performed by an independent certified public accountant (CPA) or firm. CPA firms that perform SAS 70 audits must adhere to specific professional standards established by the American Institute of Certified Public Accountants (AICPA). Licensed public accounting firms are required to follow specific guidance related to planning, execution, and supervision of the audit procedures and the reporting of the results of the audit. In addition, public accounting firms are required to undergo a peer review to ensure that their firm's audits are conducted in accordance with the applicable professional standards. Specific practicing requirements may vary depending on the requirements of the applicable State Board and/or other governing bodies.

Is there a baseline standard for how a service organization should disclose its controls?

Yes and No. Service organizations are permitted to disclose their control objectives and activities in any manner they see fit. However, for a SAS 70 audit engagement to be of maximum benefit to the user organizations (i.e. customers) and their auditors, the service organization should disclose their controls in a manner that satisfies the user auditor's requirements. To do this, the service organization's description of controls should address five key components of internal control as defined in SAS No. 55, Consideration of Internal Control in a Financial Statement Audit:

Control Environment sets the tone of an organization, influencing the control consciousness of its people. The control environment is the foundation for all other components of internal control, providing discipline and structure.
Risk Assessment is the entity's identification and analysis of relevant risks to the achievement of its objectives, forming a basis for determining how the risks should be managed.
Information and Communication are the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities.
Monitoring is the process that assesses the quality of internal control performance over time.

Can a software company be SAS 70 "certified"?

SAS 70 audits are generally performed for service providers, and primarily outsourcing organizations. If a company hosts a software application for its clients, the company is a service provider and would be a good candidate for a SAS 70 audit. The SAS 70 audit scope would most include likely multiple aspects of the service being provided, and the software would be only a part of the overall scope.

Sabrix