By Amy Nutt

SAS 70 stands for Statement on Auditing Standards No. 70. It is an auditing standard that was adopted by the American Institute of Certified Public Accountants and is widely recognized in the auditing of service organizations. An auditor performs an audit on a service organization and that audit is conducted in a way that is compliant with SAS 70. It is that standard statement that says a service organization has been through an extensive audit

This extensive audit measures is that the organization has total control and has safeguards in place that does not compromise any data that they process for their customers. In other words, the job of the audit is to evaluate every aspect of the service organization that handles customer data or could result in a possible leak of customer data.

SAS 70 is necessary for the following reasons:

– It serves as a guide to service organizations when disclosing to their customers how it is they protect their information and how well they do it. The audit results are organized in a report that is easy to follow.

– It is not a checklist audit, but serves as a guide to independent auditors to form an opinion on how well the organization is utilizing their internal controls. There are certain standards that must be met during the audit.


– Provides a set of standards in which the auditor can perform a financial statement audit.

All of the information that is gathered is compiled into two types of reports. These reports are called Type I and Type II.

Type I report

A type I report takes the organizations description of their own controls at a certain point in time and describes those descriptions. The report includes the report by the independent auditor, which is simply the auditor’s opinion, and it includes the organization’s descriptions of their internal controls. There are parts of the report that are optional such as tests that are performed by the auditor and the auditor recording the results of those tests. Another optional area is the inclusion of any other information that the organization provides the auditor about its controls.

Type II report

The type II report is similar to the type I report in a lot of ways. The main difference is that it is mandatory for the auditor to perform tests and record the results of those tests. This is optional with type I. All of the other areas of evaluation remain the same and the inclusion of additional data by the organization is still optional.

How the organization benefits

The organization benefits from SAS 70 because it is receiving an unbiased opinion from the outside regarding the security and the effectiveness of its financial and customer-related controls. In turn, the organization can then work on any areas of weakness, which means that the customers can feel more secure about who they are doing business with. This builds a trust with customers when they know that their financial and/or personal information with the organization are secure. It lets them know who they can turn to when they need what the service organization has to offer.

Also, a service organization that has regular audits performed is an organization that has a long business life ahead of it. As stated before, customers will turn to a secure organization to do business. That means the organization is ensuring itself a long life as long as regular audits are performed to ensure the security of their internal controls. Keeping up with their controls can also save them money from having to eventually bring their controls up-to-date.

About the Author: Managed Hosting Provider providing state-of-the-art data centre offices. We are SAS 70 and CICA 5970 and Certified, which is the highest available standards for measuring and improving data center operations and management.


Permanent Link: