Sas 70 Article Index for
Sas 		Website Links For
Sas 		 

Information About

Sas 70
APPAREL
BABY
BEAUTY
BOOKS
CAR TOYS
CELL PHONES
DVD'S
ELECTRONICS
GOURMET FOOD
GROCERIES
HEALTH & PERSONAL
HOME & GARDEN
JEWELRY
MUSIC
MUSIC INSTRUMENTS
OFFICE PRODUCTS
SOFTWARE
SPORTING GOODS
TOOLS & HARDWARE
TOYS
VIDEO GAMES
SHOPPING HOME
MORE SHOPPING...



Unlike some other internal control review standards, SAS 70 provides a firm and its auditor with the assurance that a ''service organization'' (typically an outsourcing firm or any other subcontractor) properly conceives, implements and discloses its Internal Control .


METHODS


A SAS 70 audit can only be performed by an independent certified public accountant (CPA) or firm. CPA firms that perform SAS 70 audits must adhere to specific professional standards established by the American Institute of Certified Public Accountants (AICPA). Typically, a lot of SAS 70 jobs are done by the Big Four audit firms, either as part of their certification ( Channel One criteria) or as ''special assignments'' as Channel Two contractors.

The SAS 70 audit can and must be performed everywhere in the world if the company is multi-national.


AUDITOR REPORT


The results of a SAS 70 audit are displayed in a SAR (''Service Auditing Report'' or ''Service Auditor's Report'')

As of 2006 , there are two versions of a SAR, commonly known as Type I and Type II reports.

The major difference between these two is the documentation of ToC (Testing of Control) in the latter. On this point, SAS 70 follows the standard Walkthrough /Test of Control logic commonly applied during Audit s. Incidentally, Testing of Controls must be performed over a period of ''at least'' 6 months.

The report typically includes the following information:
  • Independent service auditor's opinion (sort of executive summary giving a global opinion)

  • Service organization's description of controls, as identified during the review.

  • Information provided by the independent service auditor; includes a description of the service auditor's tests of operating effectiveness and the results of those tests (Type II only)

  • Other information (such as a glossary) (if needed)


In addition, the report must assess four main indicators:
  • Whether or not the service organization's description of controls is presented fairly.

  • Whether or not the service organization's controls are designed effectively.

  • Whether or not the service organization's controls are placed in operation as of a specified date.

  • Whether or not the service organization's controls are operating effectively over a specified period of time. (assessed only if Tests of Controls were performed)



DURATION


Although there is no specified duration set, most companies choose to perform either a partial or a full SAS 70 audit every fiscal year, typically as a preparation to the annual final audit review.


SAS 70 AND SARBANES-OXLEY ACT


With the introduction of the Sarbanes-Oxley Act , and especially of the Section 404 (Internal Control Disclosure), requirements for SAS 70 went slightly out-of-date, as a law will always be stronger than an authoritative guidance. Nevertheless, SAS 70 audits still retain a great deal of interest, since they do apply specifically to a service organization, while the SOX 404 framework is more general.


EXTERNAL LINKS