|
What is it?
Statement on Auditing Standards No. 70: Service Organizations,
commonly abbreviated as SAS 70, is an auditing statement issued by the Auditing
Standards Board of the American
Institute of Certified Public Accountants (AICPA), officially titled
“Reports on the Processing of Transactions by Service Organizations”. SAS 70
defines the professional standards used by a service auditor to assess the
internal control of a service organization and issue a service auditor’s
report.
There are two types of service auditor reports. Type I
service auditor’s report includes the service auditor's opinion on the
fairness of the presentation of the service organization's description of
control that had been placed in operation and the suitability of the design of
the control to achieve the specified control objectives. Type II service
auditor’s report includes the information contained in a Type I service
auditor's report and also the service auditor's opinion on whether the specific
controls were operating effectively during the period under review.
Audit Frequency
Type I audits are typically performed no more than once per year; however,
there is no technical reason for this practice. In fact, many companies use Type
I audit as a primer and tend to move on to a Type II audit for the purpose of
subsequent audits. SOX requirements that require a Type II audit have made this
a very common practice.
Type II audits are also typically performed once per year; however, a small
percentage of companies undergo multiple Type II audits during any 12- month
period. There is no technical guidance that states or even recommends a Type II
audit frequency requirement. It is generally expected that the frequency will be
no less than once per year.
The SAS 70 audit guide recommends, but does not require, that Type II
examination period be at least six months in length. Companies generally choose
a review period between six and twelve months. There is no requirement or
recommendation that the examination period fall completely within the calendar
year.
SAS 70 audits are performed throughout the calendar year. Each service
organization is responsible for making their own decisions regarding the type of
audit they undergo, the timing of the audit, and the review period of the audit
in the case of a Type II audit.
Type I vs Type II
Type I SAS 70 audits opinion on controls that are in place as of a date in
time. The opinion deals with the fairness of presentation of the controls and
the design of the controls in terms of their ability to meet defined control
objectives. Since these reports only provide assurance over a single day, they
are of limited value to third parties.
Type II SAS 70 audits opinion on controls that were in place over a period of
time, which is typically a period of six months or more. The opinion deals with
the fairness of presentation of the controls, the design of the controls in
terms of their ability to meet defined control objectives, and the operational
effectiveness of those controls over the defined period. Third parties are
better able to rely on these reports since a verification is provided regarding
these matters for a substantial period of time.
| 
