1. What is a SAS 70?

    Statement on Auditing Standard No.70 (SAS 70) is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA) in 1992. It is used to report on the “processing of transactions by service organizations”, which can be done by completing either a SAS 70 Type I or Type II audit. A SAS 70 Type I is known as “reporting on controls placed in operation”, while a SAS 70 Type II is known as “reporting on controls placed in operation” and “tests of operating effectiveness.”
    Back to top

  2. Why is my organization being asked to become SAS 70 certified?

    There are a number of reasons why more and more organizations (i.e., service organizations) are being asked to become SAS 70 compliant. Primarily, it stems from the growing surge of legislation, such as the passing of the following recent laws; the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Gramm-Leach-Bliley Act of 1999, but most notably, the Sarbanes-Oxley Act of 2002, section 404 and 302. Collectively, these three rulings advocate protection of privacy, corporate accountability, and establishment of internal controls throughout organizations. Thus, a need was created in many industries for a due diligence process that can aggregate many of the principles found within these three acts and provide companies with a high level of assurance and confidence when using service organizations for outsourcing critical business functions.

    Additionally, the overall growth in technology and its permeation into all layers of business has facilitated the growth of SAS 70 audits. IT facilities such as Internet Service Providers (ISP’s), data warehouses, along with insurance and other health-related claims processing companies have grown exponentially in recent years. Therefore, an audit process to ensure data integrity and all related transactions was needed.

    There is also a huge movement within the business culture of our nation, and globally, that data and all related IT transactions must be safe and secure at all times. Because such a heavy reliance is placed on computer systems, organizations are compelled now more than ever to ensure that data and all related processes and procedures are safe, secure, and IT controls are operating as designed, in an effective manner.

    As a result, SAS 70 audits are widely becoming known as the “de facto due diligence document” throughout the country and the world regarding the reporting on an organization’s internal controls that have the ability to impact financial reporting.
    Back to top

  3. What types of industries and organizations have to become SAS 70 compliant?

    Since the scope of SAS 70 audits has grown tremendously within the last few years, service organizations within almost every conceivable industry can be viewed as potential candidates for this type of audit. Below is just a partial listing of prime candidates for SAS 70 audits:
    - Claims Processing Centers
    - Trust/Benefit Plan Administrators
    - Data Centers and co- locations
    - Application Service Providers
    - Payroll Processors
    - Internet Service Providers
    Back to top

  4. What are the advantages of becoming SAS 70 certified?

    There are numerous advantages for both service organizations and the users of SAS 70 reports to become SAS 70 certified.

    Benefits to Service Organizations: An unqualified (i.e., “clean”) opinion from a SAS 70 service auditor’s report demonstrates that your organization has effective controls in place. A Type I SAS 70 report would issue an unqualified opinion for a stated point in time (i.e., as of June 1, 2005), while a Type II report would also issue an unqualified opinion over a stated time period (i.e., for the period June 1, 2007 to November 30, 2007). An additional benefit to service organizations is the ability to leverage SAS 70 certification into a market differentiator against existing competitors who are vying for outsourcing contracts from user organizations. Becoming SAS 70 compliant also greatly decreases business interruption incidents by effectively removing the possibility of sporadic audits throughout the year for the sole purpose of satisfying requirements set forth by user organizations.

    Benefits to User Organizations: Ultimately, user organizations are able to gain a greater understanding and assurance of the internal controls in place at service organizations. SAS 70 certification signifies that service organizations have taken proactive steps in developing and implementing numerous controls throughout the identified platform being used to process transactions for user organizations. Furthermore, SAS 70 Type I and Type II reports assist external auditors for user organizations by cutting down on the time and costs of having to inquire on controls at service organizations.
    Back to top

  5. What are the primary differences between a SAS 70 audit and the host of security assessments provided by IT consultants?

    Because of the unique nature of what is allowed to be included in a SAS 70 report, auditors have implemented an exhaustive list of policies, procedures and related controls that must be examined for this type of engagement. Therefore, what makes this type of audit superior to any other type of internal control review is quite simply the scope of the engagement and the voluminous amount of information included in the final service auditor’s report.

    While IT security consultants focus primarily on general and application controls when conducting their assessments, SAS 70 auditors emphasize these features, and many more, such as operational and human resource issues, along with physical security guidelines and business continuity plans in the unlikely event of a business interruption disaster. In essence, the greater the scope, the more meaningful and useful the document is. This makes SAS 70 superior to any other internal control review procedure.
    Back to top

  6. Who can provide this type of service to my organization?

    Only a licensed certified public accountant (CPA) or accounting firm can sign-off and issue a SAS 70 Type I or Type II service auditor’s report. While there are many IT professionals who engage in SAS 70 audit work, they are strictly prohibited from issuing a report, and therefore, should never be looked upon as a primary source for conducting this type of audit. IT professionals may provide needed skill sets at times but generally are deficient in many traditional accounting and auditing skills.. Only a seasoned accountant with both financial statement auditing and IT skills should be considered as the primary source for SAS 70 engagements.
    Back to top

  7. What are the primary differences between a SAS 70 Type I and Type II engagement?

    A Type I report simply is issued for a particular date. For example, an accounting firm would examine a company’s controls and report on the processing of transactions and these controls for a specified point in time, such as June 1, 2007.

    A Type II report is issued after a minimum six-month testing period has been completed. For example, an accounting firm would examine a company’s controls from June 1, 2007, to November 30, 2007, and report on the controls placed in operations and tests of operating effectiveness for that same period. Unlike a Type I, which consists of inquiry and observation of controls, a Type II would include testing of controls.


    Type I

    Type II

    SAS 70 Service Auditor’s Report



    Description of Controls



    Information Provided by the Service Auditor (a detailed listing of controls and testing of operating effectiveness)



    Information Provided by the Service Organization



    User organization Control Considerations (Controls that user organizations have in place)



    Back to top

  8. What should my organization expect to pay for these services?

    Because most organizations conducting SAS 70 engagements have failed to produce and implement pricing strategies that meet the changing needs of service organizations, inconsistent and costly engagement fees are all too common. GCS’s pricing model will change the way SAS 70 engagements are priced. We believe in establishing pricing baselines based on complexity of the processing environment and the number of control objectives being evaluated. Our approach enables GCS to competitively price SAS 70 engagement and offer significant savings on previously quoted fees by other firms.
    Back to top

  9. What are the advantages of using GCS for SAS 70 certification?

    GCS utilizes a customized approach that includes templates and an internal controls database that facilitates the SAS 70 process. We greatly reduce the time to complete the audit while maintaining a high level of quality and ensuring that all engagement objectives are met as required by the AICPA. We have years of experience in performing SAS 70 audits, and we refined our process to ensure our clients the following:

    -Minimum business interruption when performing the engagement;
    -A fixed fee. No approximations or hidden costs; and
    -Industry experts, such as employing only certified public accountants and accredited IT professionals.
    Back to top

  10. Can you provide a detailed explanation on how GCS would approach and conduct a SAS 70 audit of my organization?

    GCS has developed a customized audit process that details the primary, critical steps needed to be taken to earn a Type I or Type II certification and subsequent issuance of a service auditor’s report. This methodology is based on years of research and working with clients on SAS 70 engagements. SAS 70 compliance for service organizations is achieved by diligently following these steps.
    Back to top

  11. What is the timeframe for completing the SAS 70 audit after GCS is engaged?

    Timeframes for completing SAS 70 engagements vary by client. GCS commits to providing the initial draft report within 14 days of completing fieldwork. Management typically averages a 7-10 days to review the draft and make any necessary or recommended changes. Once management returns the reviewed draft report, GCS then averages another 7-10 days to issue the final report. However, we are flexible in allowing management as much time as needed to review. On average, we like to have the final report issued within 30 days of completing the fieldwork. This timeframe is significantly shorter than that of Big Four and larger regional firms. Because these firms typically utilize less experienced professionals to perform the SAS 70, more quality reviews are required along with multiple senior management and partner reviews. At GCS, our professionals performing the audit are experienced and able to facilitate the report writing and review process much faster.
    Back to top

  12. On what areas of my organization will GCS conduct a SAS 70 audit?

    Because of the very specialized nature of SAS 70 audits, your entire organization does not go through this audit. Instead, the identified platform or platforms that are currently being used to conduct outsourcing activities related to user organizations is what will be audited along with other areas deemed vital by GCS. For example, if your service organization is conducting outsourcing activities related to statement rendering processing, then all processes and transaction related to that specific platform will be under the scope of a SAS 70 audit. Moreover, a number of operational general controls will be observed, such as:

    -What is your organization’s corporate tone, known as “tone at the top”?
    -Does your organization have effective hiring and termination policies?
    -Does your organization have in place policies and manuals concerning work place professionalism and use of company property?
    -What qualitative and quantitative procedures are in place throughout your organization that assist in maintaining effective internal controls?
    -And many more…
    t must be noted that these controls are inquired upon primarily to gain a better understanding of the overall corporate tone of the organization. The theory is based on the following: Good, sound controls in place for general operational areas are just as important as the highly specialized application controls found throughout software applications and the identified platforms. In essence, a SAS 70 audit is looking at a service organization that implements controls throughout various levels of its company, not just the identified platform being targeted by a SAS 70.
    Back to top

  13. What industry standards does GCS use when conducting a SAS 70 audit?

    SAS 70 auditing procedures utilize a combination of standards derived primarily from institutions having extensive experience in analyzing and developing critical general and applications controls. Many of these standards are recognized as globally accepted best practices approaches, and have been adopted by accountants and consultants worldwide. Listed below is a brief description of the standards used when conducting a SAS 70 audit.

    First released in 1996 and known as the “Control Objectives for Information and Related Technology”, COBIT is an internationally accepted standard for Information Technology security and control practices. It is now in its third edition. Published by the IT Governance Institute, COBIT is fast becoming one of the key standards used by corporations around the globe who need a well-defined set of policies regarding internal control over information and related IT systems. COBIT is compliant with other standards, such as COSO and ISO 17799, and contains 34 high-level control objectives along with over 300 detailed control objectives.

    Essentially, COBIT represents an authoritative, up-to-date control framework, a set of generally accepted control objectives, along with a complimentary product that allows the straightforward application of the Framework and Control Objectives - called the Audit Guidelines. COBIT applies to enterprise-wide information systems, such as personal computers, mini-computers, mainframes and distributed environments. Since the 1st edition of COBIT was released in 1996, it has been sold and implemented in over 100 countries throughout the world.

    Known as the Committee of Sponsoring Organizations of the Treadway Commission, COSO originated in 1985 to address the questionable and fraudulent activities with financial reporting. Key concepts and principles of COSO are built on a theme advocating good, sound internal control practices within organizations. COSO defines internal control as a process influenced by all personnel, such as the board of directors, senior management, and staff.

    Over time, COSO has grown to include additional elements deemed vital for implementing effective internal control procedures. To date, the key concepts for COSO regarding internal control:

    -Internal control is a process. It is a means to an end, not an end in itself.
    -Internal control is influenced by people. It is not simply policy manuals and forms but people at every level of an organization.
    -Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an organization’s management and board.
    -Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.

    The Internal Control – Integrated Framework along with the Enterprise Risk Management – Integrated Framework are two frameworks developed by COSO that spell out the critical principles and components of an effective enterprise risk management process, and how all important risks should be identified, assessed, responded to and controlled. It also provides a common language, so that executives, directors and others converse about risk management, they are truly communicating and understand one another.

    ISO 17799
    First published as a code of practice in the United Kingdom, ISO 17799 was called BS 7799 and published in 1995. Initially, there was not much acceptance due to a number of pressing IT issues, such as the coming Y2K compliance. A major overhaul was conducted in 1999, resulting in it being published as an ISO standard in December 2000. ISO 17799 is a comprehensive set of controls comprising best practices in information security. Its main intention is to serve as a reference point for identifying a range of controls needed for situations where information systems are used in industry and commerce. The standard consists of eleven sections, as opposed to just ten in the 2000 standard editions. They are:

    1. Security Policy

    6. Communications and Operations Management

    2. Organizing Information Security

    7. Access Control

    3. Asset Management

    8. I.S. Acquisition, development and maintenance

    4. HR Security

    9. Information Security Incident Management

    5. Physical and Environmental Security

    10. Business Continuity


    11. Compliance

    Established in 1979, the Federal Financial Institutions Examination’s Council, or FFIEC, prescribes uniform principles and standards for the federal examination of financial institutions. Many well-known governmental bodies, such as the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), and the Board of Governors of the Federal Reserve System (FRB) use these standards for reviewing financial organizations. The FFIEC routinely publishes information directly relating to such topics as Systems Development Life Cycle (SDLC), Business Continuity and Disaster Recovery, along with guidelines for implementing general and application controls.
    Back to top

  14. After completing the audit, what documentation will my organization receive as evidence of SAS 70 certification?

    Upon completion of a SAS 70 audit, a CPA or accounting firm will issue a SAS 70 Service Auditor’s Report. This report will include a voluminous amount of data concerning a service organization, including the following:

    Independent Service Auditor’s Report
    Also named the Independent Accountant’s Report, this signed letter will be presented at the beginning of the Service Auditor’s report, stating the opinion of the service auditor. If the SAS 70 audit conducted was a Type I, the service auditor would sign-off as either an unqualified (i.e., clean) opinion or a qualified opinion on the report of controls placed in operation as of a specific point in time. If the audit conducted was a Type II, the service auditor would sign-off as either an unqualified or qualified opinion on the report of controls placed in operation and tests of operating effectiveness. Great attention is given to this document by both the service organization and user organizations.

    Elements of Internal Control
    Within each service organization are a number of essential internal control components, which are examined during a SAS 70 audit. Each control gives valuable insight into the processes and procedures within these service organizations. Developed by COSO and known as SAS 55/SAS 78, the internal control framework consists of the following:

    - Control Environment - The control environment sets the tone of an organization and influences the control consciousness of its members. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values, and competence of the entity's people; management's philosophy and operating style; and the way management assigns authority and responsibility and organizes and develops its people.

    - Risk Assessment - Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is the establishment of operating objectives. Risk assessment is the identification and analysis of risks relevant to the achievement of objectives. This forms a basis for determining how the risks should be managed. Because of ongoing changes in economic, regulatory, and operating conditions, mechanisms are needed to identify and deal with the special risks associated with change.

    - Control Activities - Control activities are the policies and procedures that help ensure that management directives are carried out and that necessary actions are taken to address risks to achieving the entity's objectives. Control activities operate throughout the organization, at all levels, and in all functions. They include a range of activities as diverse as authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties.

    - Information and Communication - Pertinent information must be identified, captured, and communicated in both a form and a timeframe that enable people to carry out their responsibilities. Information systems produce reports, containing operations, financial, and compliance-related information that make it possible to run and control an operation. Such systems deal with both internally generated data, as well as information about external events, activities, and conditions.

    - Monitoring - Internal control systems need to be monitored. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. Ongoing monitoring includes regular management and supervisory activities, and other actions personnel take in performing their duties. The scope and frequency of separate evaluations depends primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Internal control deficiencies should be reported to the upper operational hierarchy.

    Systems Development Life Cycle and Change Management
    A vital piece of a SAS 70 service auditor’s report lies within the processes that take place throughout the different cycles. In particular, attention is paid to the controls in the following environments and how an organization institutes and facilitates changes within the SDLC and the company:
    - Design cycle
    - Development cycle
    - Testing cycle
    - Production cycle
    - Maintenance cycle

    General Computer Controls
    General controls are seen as the necessary framework that must be in place for the success of application controls. General controls can be found in the following areas:

    - Logical Security
    - Physical Security
    - Environmental Security
    - Network Security
    - Computer operations

    Application Controls
    The primary function of these controls are to ensure the completeness and accuracy of the records and the validity of the entries made from both manual and programmed processing. Both Type I and Type II SAS 70 service auditor’s reports will include a detailed examination of application controls.

    Other Material
    Depending on the type of SAS 70 audit being conducted, additional areas may be included in the service auditor’s report, which are the following:

    - Information Provided by the Service Auditor: This is reserved for a Type II engagement and details the testing and operating effectiveness of the control objectives and the controls specified by the user organization.

    - Information Provided by the Service Organization: This material can be included for a Type I and Type II audit. Generally, it may include network topography diagrams or other types of miscellaneous materials, along with a service organization’s business continuity and disaster recovery policies and procedures.

    - Client Control Considerations: This section illustrates the important relationship between the service organization and users of SAS 70 audit. It stipulates that the company requiring the audit also has an obligation to adhere to sound internal control policies within their own corporation.
    Back to top

  15. How long is a “Service Auditor’s Report” valid for?

    A service auditor report is valid for one full calendar year for both a SAS 70 Type I and a Type II audit. For example, if a service organization received a Type I service auditor’s report for reporting of controls on July 1, 2007, then it is valid until July 1, 2008. For SAS 70 Type II service auditor’s reports, if a report was issued that covered the period from June 1, 2007 to November 30, 2007, then the report is valid until November 30, 2007. Depending on a service organization’s needs and their client’s needs, testing for year two would begin approximately 6 months before the report expires. This is done to keep the SAS 70 certification valid at all times.
    Back to top

  16. Will my organization need to be SAS 70 certified every year?

    If your organization is being asked to become SAS 70 certified, then it is highly likely that continued certification will become a requirement. Why? Because organizations are just beginning to feel the trickle down effects of Sarbanes-Oxley and many other regulatory provisions. In addition, user organizations that may not even fall under regulatory requirements are pushing service organizations to have their internal controls certified.

    Lastly, now more than ever, there is a huge push within the business community to have internal controls and related processes and procedures certified, regardless of cost or industry. The scope is quite enormous and will more than likely continue to expand at an exponential rate.
    Back to top

  17. Ultimately, who uses and reads a Service Auditor’s Report?

    Traditionally, service auditor’s reports were used primarily as an auditor to auditor document. This is dramatically changing as service organizations are making this document available to potential clients who are inquiring about a service organizations internal controls. With that said, its primary function is still a document used between an auditor of the service organization and the auditor of a user organization, but is now incorporating a marketing element within it.
    Back to top

Gray CPA, PLLC All Rights Reserved