Understanding SAS 70: The Auditing Standard for Service Organizations

Apr 4
22:34

2024

Jameson Meer

Jameson Meer

  • Share this article on Facebook
  • Share this article on Twitter
  • Share this article on Linkedin

SAS 70, or Statement on Auditing Standards No. 70, was a widely recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA). It served as a benchmark for service organizations to demonstrate the effectiveness of their internal controls related to financial reporting. However, it's important to note that SAS 70 has been superseded by the SSAE 16 and later by the SSAE 18 standard. This article will delve into the original purpose of SAS 70, its significance, and the transition to newer standards.

The Genesis and Purpose of SAS 70

Historical Context and Implementation

SAS 70 was introduced to provide an authoritative guidance for auditors to evaluate the internal controls of service organizations that impact their clients' financial statements. Service organizations encompass a broad range of industries,Understanding SAS 70: The Auditing Standard for Service Organizations Articles including but not limited to, claims processing entities, credit processing companies, clearinghouses, and data centers.

The Role of SAS 70 in Outsourcing Services

Outsourcing services can significantly affect a client's control environment. SAS 70 audits were not merely a basic checklist but rather a comprehensive examination of a service organization's control landscape. This audit was instrumental in providing transparency to clients about the operational integrity of the service organizations they relied upon.

The Importance of SAS 70 in Regulatory Compliance

Connection with the Sarbanes-Oxley Act

The enactment of the Sarbanes-Oxley Act (SOX) in 2002 heightened the relevance of SAS 70. SOX emphasized the need for accurate financial reporting and internal controls, making SAS 70 a critical resource for demonstrating the effectiveness of these controls within service organizations and ensuring data security.

Types of SAS 70 Reports

Distinguishing Type I and Type II Reports

There were two types of SAS 70 reports:

  1. Type I Report: This report provided an auditor's written opinion on the fairness of the service organization's description of controls and whether they were suitably designed to achieve specified objectives.
  2. Type II Report: Building upon the Type I, this report included the auditor's opinion on the operational effectiveness of the controls over a specified review period.

The key difference between the two reports lies in the scope of the auditor's opinion. Type II reports were more comprehensive, including tests of the operational effectiveness of the controls, and typically incurred higher costs due to the more extensive nature of the audit.

Transition to New Standards: From SAS 70 to SSAE 18

The Evolution of Auditing Standards

While SAS 70 was a cornerstone for service organization audits, it has since been replaced by the Statement on Standards for Attestation Engagements (SSAE) No. 16, and most recently by SSAE No. 18. SSAE 18 is the current standard that service organizations use to produce a Service Organization Control (SOC) report. This evolution reflects the ongoing efforts to refine auditing practices and adapt to the changing landscape of financial reporting and compliance.

The Auditor's Report as a Communication Tool

The auditor's report remains one of the most effective ways for service organizations to communicate the state of their control environment to stakeholders. It provides assurance to clients, investors, and regulators that the organization has undergone a rigorous examination of its internal controls.

Conclusion

While SAS 70 is no longer in use, its legacy continues to shape the way service organizations and auditors approach the assessment of internal controls. The transition to SSAE 18 represents the latest chapter in the ongoing effort to maintain robust and transparent financial reporting practices. For more information on the current standards, you can visit the AICPA's website.

Understanding the historical context and the evolution of these standards is crucial for anyone involved in the auditing process or relying on the services of organizations that handle sensitive financial data. As the business environment grows more complex, the importance of these audits and the assurance they provide cannot be overstated.

Categories: