SAS 70
Encyclopedia : S : SA : SAS : SAS 70
In Audit, Information Systems Audit and Internal Control review, SAS 70 is an international auditing standard developed by the American Institute of Certified Public Accountants (AICPA). More precisely, this standard is defined in the Statement on Auditing Standards (SAS) No. 70 ("Service Organizations"), hence the "SAS 70" common name. The Statement was first published in April 1992.
Unlike some other internal control review standards, SAS 70 provides a firm and its auditor with the assurance that a service organization (typically an outsourcing firm or any other subcontractor) properly conceives, implements and discloses its internal control.
Methods
A SAS 70 audit can only be performed by an independent certified public accountant (CPA) or firm. CPA firms that perform SAS 70 audits must adhere to specific professional standards established by the American Institute of Certified Public Accountants (AICPA). Typically, a lot of SAS 70 jobs are done by the Big Four audit firms, either as part of their certification (Channel One criteria) or as special assignments as Channel Two contractors.
The SAS 70 audit can and must be performed everywhere in the world if the company is multi-national. Other similar reporting standards exist for other countries, such as the FRAG 21 standard in the UK.
Auditor Report
The results of a SAS 70 audit are displayed in a SAR (Service Auditing Report or Service Auditor's Report)
As of 2006, there are two versions of a SAR, commonly known as Type I and Type II reports.
A Type I report provides a description of a service organization's controls as of a point in time (as of 12/31/xxxx,) while a Type II reports provides assurance over the operating effectiveness over controls for a period of time (for the year ending 12/31/xxxx.)
Type II testing procedures must be performed for a period not to be less than six months. Typically Type II SAS 70 reports cover a six month or one year period of time.
The report typically includes the following information:
- Independent service auditor's opinion (sort of executive summary giving a global opinion)
- Service organization's description of controls, as identified during the review.
- Information provided by the independent service auditor; includes a description of the service auditor's tests of operating effectiveness and the results of those tests (Type II only)
- Other information (such as a glossary) (if needed)
- Whether or not the service organization's description of controls is presented fairly.
- Whether or not the service organization's controls are designed effectively.
- Whether or not the service organization's controls are placed in operation as of a specified date.
- Whether or not the service organization's controls are operating effectively over a specified period of time. (only for Type II reports)
Duration
Although there is no specified duration set, most companies choose to perform either a partial or a full SAS 70 audit every fiscal year, typically as a preparation to the annual final audit review.
SAS 70 and Sarbanes-Oxley Act
With the introduction of the Sarbanes-Oxley Act, and especially of the Section 404 (Internal Control Disclosure), requirements for SAS 70 went slightly out-of-date, as a law will always be stronger than an authoritative guidance. Nevertheless, SAS 70 audits still retain a great deal of interest, since they do apply specifically to a service organization, while the SOX 404 framework is more general.
External links
From Wikipedia, the Free Encyclopedia. Original article here. Support Wikipedia by contributing or donating.
All text is available under the terms of the GNU Free Documentation License See Wikipedia Copyrights for details.