Menu

Introduction to PCI DSS (Payment Card Industry Data Security Standard)   Introduction to PCI DSS (Payment Card Industry Data Security Standard)   

Data Protection Act 1998   Data Protection Act 1998   

Secure HTML Practices   Secure HTML Practices   

SQL Injection Attack - Introduction and Mitigation Steps   SQL Injection Attack - Introduction and Mitigation Steps   

Cross Site Scripting (XSS) – Introduction and Mitigation Steps   Cross Site Scripting (XSS) – Introduction and Mitigation Steps   

Audit and Testing Tools for Web Application Security   Audit and Testing Tools for Web Application Security   

Threat Modeling for Web Application Security - Practice Guide   Threat Modeling for Web Application Security - Practice Guide   

What is SAS 70 – Statement on Auditing Standards

Published on: 8/17/2014
Topic: Cyber Security Compliance Standards
Statement on Auditing Standards No. 70: Service Organizations, commonly abbreviated as SAS 70 is an auditing statement issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) with its content codified as AU 324. SAS 70 provides guidance to service auditors when assessing the internal control of a service organization and issuing a service auditor’s report. SAS 70 also provides guidance to auditors of financial statements of an entity that uses one or more service organizations. Service organizations are typically entities that provide outsourcing services that impact the control environment of their customers. Examples of service organizations are insurance and medical claims processors, trust companies, hosted data centers, application service providers (ASPs), managed security providers, credit processing organizations and clearinghouses.

Overview

Service organizations are typically entities that provide outsourcing services that impact the control environment of their customers. Examples of service organizations are insurance and medical claims processors, trust companies, hosted data centers, application service providers (ASPs), managed security providers, credit processing organizations and clearinghouses.

There are two types of service auditor reports. A Type I service auditor’s report includes the service auditor’s opinion on the fairness of the presentation of the service organization’s description of controls that had been placed in operation and the suitability of the design of the controls to achieve the specified control objectives. A Type II service auditor’s report includes the information contained in a Type I service auditor’s report and also includes the service auditor’s opinion on whether the specific controls were operating effectively during the period under review.

User auditor Traditionally, service auditor reports are primarily used as auditor-to-auditor communication. The auditors of the service organization’s customers (i.e. user auditors) can use the service auditor’s report to gain an understanding of the internal controls in operation at the service organization. Additionally, Type II service auditor reports can be used by the user organizations’ auditors to assess internal control risk for the purposes of planning and executing their financial audit.

Other third parties external to service organizations: Service auditor reports are growing in popularity and are being used by customers, prospective customers and financiers to gain an understanding of the control environment of outsourcing companies. In some cases, these third parties are not intended users of the report, but still find value in using the report as third party independent verification that controls are in place and are operating effectively.

Unless the report is noted for restricted use only by the CPA firm, the service organization retains control of distributing the report. Every Service Auditor’s report contains an auditor’s opinion letter. The opinion letter is required to contain a paragraph that defines the authorized user of the report. On rare occasions, this paragraph is limited to a specific third party, which may or may not be a user organization. Use of the report is typically restricted to the service organization’s management, its customers, and the financial statement auditors of its customers. Typically, a statement in the final paragraph states:

This report is intended solely for use by the management of XYZ Service Organization, its user organizations, and the independent auditors of its user organizations.

Financial statement auditor of service organization: The report is not designed to support the financial statement auditors of the service organization, because the service organization’s own financial reporting IT controls are not the target of a SAS 70 audit. The environment supporting user organization’s processes is the SAS 70 audit scope. However, a service organization’s external auditor’s Entity Level Control Considerations may be useful for a SAS 70 report.

Other auditing standards address the appropriate process to obtain client authorizations for auditors of different firms to obtain audit information about a shared client, which may include the sharing of workpapers and reports between the auditors.

Reference: http://en.wikipedia.org/wiki/Statement_on_Auditing_Standards_No._70:_Service_Organizations


[Show All Sections]