Professional Documents
Culture Documents
Intro To SAS 70 Audits
Intro To SAS 70 Audits
Intro To SAS 70 Audits
ensure that data and all related processes and procedures are safe, secure,
and IT controls are operating as designed, in an effective manner.
As a result, SAS 70 audits are widely becoming known as the “de
facto due diligence document” throughout the country and the world
regarding the reporting on an organization’s internal controls that
have the ability to impact financial reporting.
What Types of Industries and Organizations Have to
Become SAS 70 Compliant?
Since the scope of SAS 70 audits has grown tremendously within
the last few years, service organizations within almost every conceiv-
able industry can be viewed as potential candidates for this type of
audit. Here is just a partial listing of what we and many industry
experts consider prime candidates for SAS 70 audits:
Other Material
Depending on the type of SAS 70 audit being conducted, the
following additional areas may be included in the service auditor’s
report:
• Information Provided by the Service Auditor. This is
reserved for a Type II engagement and details the testing
and operating effectiveness of the control objectives and
the controls specified by the user organization.
• Information Provided by the Service Organization. This
material can be included for a Type I and Type II audit.
Generally, it may include network topography diagrams or
other types of miscellaneous materials, along with a service
organization’s business continuity and disaster recovery
policies and procedures.
• Client Control Considerations. This section illustrates the
important relationship between the service organization and
users of SAS 70 audit. It stipulates that the company requiring
the audit also has an obligation to adhere to sound internal
control policies within their own corporation.