An Overview of SAS 70: Who is Required to have a SAS 70 Report? A Statement on Auditing Standards SAS No. 70, refers to service providers who serve public and private companies by providing a service that materially impacts the company's financial statements will be required by their customers to provide a Type II SAS 70 Report. Such services could include: payroll services, systems programming, data storage, computer support, medical claims processing, colocation and web hosting, among others.

A service auditor's examination performed in accordance with SAS No. 70 ("SAS 70 Audit") is widely recognized, because it represents that a service organization has been through an in-depth audit of their control objectives and control activities, which often include controls over information technology and related processes. In today's global economy, service organizations or service providers must demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers. In addition, the requirements of Section 404 of the Sarbanes-Oxley Act of 2002 make SAS 70 audit reports even more important to the process of reporting on the effectiveness of internal control over 
financial reporting.

SAS No. 70 is the authoritative guidance that allows service organizations to disclose their control activities and processes to their customers and their customers' auditors in a uniform reporting format. The issuance of a service auditor's report prepared in accordance with SAS No. 70 signifies that a service organization has had its control objectives and control activities examined by an independent accounting and auditing firm. The service auditor's report, which includes the service auditor's opinion, is issued to the service organization at the conclusion of a SAS 70 examination.

Audit standards require that when the service organizations services are a part of the company's internal control over financial reporting, management should consider the activities of the service organization in making its assessment of internal control over financial reporting, and the external auditor must consider the activities of the service organization in determining the evidence required to support his or her opinion.

Benefits of a SAS 70: Service organizations receive significant value from having a SAS 70 engagement performed. A SAS 70 Report with an unqualified opinion that is issued by an independent accounting firm differentiates the service organization from its competitors by demonstrating the establishment of effectively designed control objectives and control activities. A SAS Report also helps a service organization build trust and loyalty with its customers. Conversely, without the ability to timely provide a SAS 70 Report to a customer, the service provider may lose the customer. The company has no alternative but to obtain the SAS 70 Report, and is likely to change service providers in order to meet this requirement.

Additionally, without a current SAS 70 Report, a service organization may have to entertain multiple audit requests from its customers and their respective auditors. Multiple visits from user auditors can place a strain on the service organizations resources. A SAS 70 Report ensures that all customers and their auditors have access to the same information and in most cases this will satisfy the user auditors requirements.

Additionally, a SAS 70 engagement allows a service organization to have its control policies and procedures evaluated and tested by an independent party. Very often this process results in the identification of opportunities for improvement in many operational areas.

Requirement under The Sarbanes-Oxley Act of 2002, Section 404: Section 404 of Sarbanes-Oxley requires public companies to include a report by management on its assessment of the company's internal controls over financial reporting in each annual report. Each public company's auditor must attest to and report on managements assessment of the company's internal controls and this opinion must also be included in each annual report.

If a public company (user organization) utilizes an external service organization to perform activities that significantly impact a company's financial statements, a Type II SAS 70 report is required. The SAS 70 report should be performed by an independent auditor (service auditor) and provided to the service organization, which in turn, provides the report to the user company's management and auditor.

A SAS 70 Report is the authoritative guidance that allows service organizations to disclose their control activities and processes to customers and their customers auditors in a uniform reporting format. Service auditors are required to follow the AICPAs standards for fieldwork, quality control, and reporting. SAS 70 is not a pre-determined set of control objectives or control activities that the service organization must achieve, rather, it is a report that signifies that the service organizations control objectives and activities have been examined by an independent accounting and auditing firm.

There are two types of SAS 70 reports: Type 1 Report. In a Type I report, the service auditor will express an opinion on (1) whether the service organizationâs description of its controls presents fairly, in all material respects, the relevant aspects of the service organizations controls that had been placed in operation as of a specific date, and (2) whether the controls were suitably designed to achieve the specified control objectives.

Type II Report. In a Type II report, the service auditor will express an opinion on the same items noted above in a Type I report, and (3) whether the controls that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives were achieved during the period specified. A Type II report not only includes the service organizations description of controls, but also includes detailed testing of the service organizations controls over a minimum six month period.

User organizations should provide a Service Auditor's Report to their auditors. This will greatly assist the user auditor in planning the audit of the user organization's financial statements. Without a Service Auditor's Report, the user organization would likely have to incur additional costs in sending their auditors to the service organization to perform their procedures. CLICK HERE for more information on SAS 70.