An Introduction to SAS 70 Audits

Christopher G. Nickell and Charles Denyer

Statement on Auditing Standard No. 70 (SAS 70) is an internationally recog-

nized auditing standard developed by the American Institute of Certified Public
Accountants (AICPA) in 1992. This article offers an overview of the SAS 70 audit
used to report on the “processing of transactions by service organizations,” which
can be done by completing either a SAS 70 Type I or Type II audit. A SAS 70 Type I
is known as “reporting on controls placed in operation,” while a SAS 70 Type II
is known as “reporting on controls placed in operation” and “tests of operating
effectiveness”.

SAS 70 COMPLIANCE GROWING

T here are a number of reasons why more and more organizations

(i.e., service organizations) are being asked to become SAS 70
compliant. Primarily, it stems from the growing surge of legislation,
such as the passing of the following recent laws; the Health Insurance
Portability and Accountability Act of 1996 (HIPAA), Gramm-Leach-
Bliley Act of 1999, but most notably, the Sarbanes-Oxley Act of 2002,
Sections 404 and 302. Collectively, these three rulings advocate pro-
tection of privacy, corporate accountability and establishment of inter-
nal controls throughout organizations. Thus, a need was created in
many industries for a due diligence process that can aggregate many
of the principles found within these three acts and provide companies
with a high level of assurance and confidence when using service
organizations for outsourcing critical business functions.
Additionally, the overall growth in technology and its permeation
into all layers of business has facilitated the growth of SAS 70 audits.
IT facilities such as Internet Service Providers (ISPs), data warehous-
es, along with insurance and other health-related claims processing
companies have grown exponentially in recent years. Therefore, an
audit process to ensure data integrity and all related transactions was
needed.
There is also a huge movement within the business culture of our
nation, and globally, that data and all related IT transactions must be
safe and secure at all times. Because such a heavy reliance is placed on
computer systems, organizations are compelled now more than ever to

Christopher G. Nickell and Charles Denyer are senior managers with

CPA firm DuPont & Morgan LLC. Christopher G. Nickell also serves as
a part-time instructor of Accounting at Georgia State University.

BENEFITS LAW JOURNAL 58 VOL. 20, NO. 1, SPRING 2007

 An Introduction to SAS 70 Audits

ensure that data and all related processes and procedures are safe, secure,
and IT controls are operating as designed, in an effective manner.
As a result, SAS 70 audits are widely becoming known as the “de
facto due diligence document” throughout the country and the world
regarding the reporting on an organization’s internal controls that
have the ability to impact financial reporting.
What Types of Industries and Organizations Have to
Become SAS 70 Compliant?
Since the scope of SAS 70 audits has grown tremendously within
the last few years, service organizations within almost every conceiv-
able industry can be viewed as potential candidates for this type of
audit. Here is just a partial listing of what we and many industry
experts consider prime candidates for SAS 70 audits:

• Claims processing centers;

• Trust/benefit plan administrators;
• Data centers and co-locations;
• Application service providers;
• Payroll processors; and
• Internet service providers.

What Are the Advantages of Becoming

SAS 70 Certified?
There are numerous advantages for both service organizations
becoming SAS 70 certified and the users of SAS 70 reports.
Benefits to Service Organizations
An unqualified (i.e., clean) opinion from a SAS 70 service auditor’s
report demonstrates that your organization has effective controls
that are in place. A Type I SAS 70 report would issue an unqualified
opinion for a stated point in time (i.e., as of June 1, 2005), while a
Type II report would also issue an unqualified opinion over a stated
time period (i.e., for the period June 1, 2005, to November 30, 2005).
An additional benefit to service organizations is the ability to lever-
age SAS 70 certification into a market differentiator against existing
competitors who are vying for outsourcing contracts from user orga-
nizations. Becoming SAS 70 compliant also greatly decreases busi-
ness interruption incidents by effectively removing the possibility of
sporadic audits throughout the year for the sole purpose of satisfying
requirements set forth by user organizations.

BENEFITS LAW JOURNAL 59 VOL. 20, NO. 1, SPRING 2007

 An Introduction to SAS 70 Audits

Benefits to User Organizations

Ultimately, user organizations are able to gain a greater under-
standing and assurance of the internal controls in place at service
organizations. SAS 70 certification signifies that service organizations
have taken proactive steps in developing and implementing numer-
ous controls throughout the identified platform being used to process
transactions for user organizations. Furthermore, SAS 70 Type I and
Type II reports assist external auditors for user organizations by cut-
ting down on the time and costs of having to inquire on controls at
service organizations.

WHY SAS 70 AUDITS ARE UNIQUE

Because of the unique nature of what is allowed to be included in a
SAS 70 report, auditors have implemented an exhaustive list of policies,
procedures, and related controls that must be examined for this type
of engagement. Therefore, what makes this type of audit superior to
any other type of internal control review is quite simply the scope of
the engagement and the voluminous amount of information included
in the final service auditor’s report. While IT security consultants focus
primarily on general and application controls when conducting their
assessments, SAS 70 auditors emphasize these features, and many more,
such as operational and Human Resource issues, along with physical
security guidelines and business continuity plans in the unlikely event
of a business interruption disaster. In essence, the greater the scope, the
more meaningful and useful the document is. And this is what makes
SAS 70 superior to any other internal control review procedure.
Only a certified public accountant (CPA) or accounting firm can
sign off and issue a SAS 70 Type I or Type II service auditor’s report.
While there are many IT professionals who engage in SAS 70 audit
work, they are strictly prohibited from issuing a report and therefore
should never be looked upon as a primary source for conducting this
type of audit. While they may provide needed skill sets at times, they
are generally deficient in many traditional accounting and auditing
skills and therefore lack the ability to understand various components
of a SAS 70 audit. Only a seasoned accountant, with both financial
statement auditing and IT skills, should be considered as the primary
source for SAS 70 engagements.
What Are the Primary Differences Between a SAS 70
Type I and Type II Engagement?
A Type I report simply is issued for a particular date. For example,
an accounting firm would examine a company’s controls and report
on the processing of transactions and these controls for a specified
point in time, such as June 1, 2005.

BENEFITS LAW JOURNAL 60 VOL. 20, NO. 1, SPRING 2007

 An Introduction to SAS 70 Audits

A Type II report is issued after a minimum six-month testing period

has been completed. For example, an accounting firm would examine a
company’s controls from June 1, 2005, to November 30, 2005, and report
on the controls placed in operations and tests of operating effectiveness
for that same period. Unlike a Type I, which consists of inquiry and
observation of controls, a Type II would include testing of controls.
Table 1 lists contents found in a Type I and Type II report:

TABLE 1. CONTENTS OF TYPES I AND II REPORTS

Information Type I Type II

SAS 70 Service Auditor’s Report Required Required
Description of Controls Required Required

Information Provided by the Service

Auditor (a detailed listing of controls Optional Required
and testing of operating effectiveness)

Information Provided by the Service

Optional Optional
Organization
User Organization Control
Considerations (controls that user Optional Optional
organizations have in place)

ORGANIZATIONAL AREAS TO BE AUDITED

Because of the very specialized nature of SAS 70 audits, your
entire organization does not go through this audit. Instead, the iden-
tified platform or platforms that are currently being used to conduct
outsourcing activities related to user organizations is what will be
audited, along with other areas deemed vital by the auditor. For
example, if your service organization is conducting outsourcing activi-
ties relating to claims processing, then all processes and transactions
relating to that specific platform will be under the scope of a SAS 70
audit. Moreover, a number of operational general controls will also
be observed, such as the following:
• What is your organization’s corporate tone, known as “tone
at the top”?
• Does your organization have effective hiring and termina-
tion policies?
• Does your organization have in place policies and manuals
concerning workplace professionalism and use of company
property?

BENEFITS LAW JOURNAL 61 VOL. 20, NO. 1, SPRING 2007

 An Introduction to SAS 70 Audits

• What qualitative and quantitative procedures are in place

throughout your organization that assist in maintaining
effective internal controls?

It must be noted that these controls are inquired upon primarily

to gain a better understanding of the overall corporate tone of the
organization. The theory is based on the following: good, sound con-
trols in place for general operational areas are just as important as
the highly specialized application controls found throughout software
applications and the identified platforms. In essence, a SAS 70 audit is
looking at a service organization that implements controls throughout
various levels of its company, not just the identified platform being
targeted by a SAS 70.

INDUSTRY STANDARDS USED DURING

SAS 70 AUDITING

SAS 70 auditing procedures utilize a combination of standards

derived primarily from institutions having extensive experience in
analyzing and developing critical general and applications controls.
Many of these standards are recognized as globally accepted best
practices approaches, and have been adopted by accountants and
consultants worldwide.

Control Objectives for Information and

Related Technology
First released in 1996 and known as the “Control Objectives for
Information and Related Technology,” COBIT is an internation-
ally accepted standard for Information Technology security and
control practices that is now in its third edition. Published by the
IT Governance Institute, COBIT is fast becoming one of the key
standards used by corporations around the globe who need a well-
defined set of policies regarding internal control over information and
related IT systems. COBIT is compliant with other standards, such as
COSO and ISO 17799, and contains 34 high-level control objectives
along with over 300 detailed control objectives.
Essentially, COBIT represents an authoritative, up-to-date control
framework, a set of generally accepted control objectives, along with
a complementary product that allows the straightforward applica-
tion of the Framework and Control Objectives—called the Audit
Guidelines. COBIT applies to enterprise-wide information systems,
such as personal computers, mini-computers, mainframes, and dis-
tributed environments. Since the first edition of COBIT was released
in 1996 it has been sold and implemented in over 100 countries
throughout the world.

BENEFITS LAW JOURNAL 62 VOL. 20, NO. 1, SPRING 2007

 An Introduction to SAS 70 Audits

Committee of Sponsoring Organizations of the

Treadway Commission
The Committee of Sponsoring Organizations of the Treadway
Commission, or COSO, originated in 1985 to address the question-
able and fraudulent activities with financial reporting. Key concepts
and principles of COSO are built on a theme advocating good, sound
internal control practices within organizations. COSO defines internal
control as a process, influenced by all personnel, such as the board
of directors, senior management, and staff.
Over time, COSO has grown to include additional elements
deemed vital for implementing effective internal control procedures.
To date, the key concepts for COSO regarding internal control are
the following:

• Internal control is a process. It is a means to an end, not an

end in itself.
• Internal control is influenced by people. It is not simply
policy manuals and forms, but people at every level of an
organization.
• Internal control can be expected to provide only reason-
able assurance, not absolute assurance, to an organization’s
management and board.
• Internal control is geared to the achievement of objectives
in one or more separate but overlapping categories.

The Internal Control

Integrated Framework, along with the Enterprise Risk Management-
Integrated Framework, are two frameworks developed by COSO that
spell out the critical principles and components of an effective enter-
prise risk management process, and how all important risks should
be identified, assessed, responded to, and controlled. It also provides
a common language, so that as executives, directors, and others
converse about risk management, they are truly communicating and
understand one another.
ISO 17799
First published as a code of practice in the United Kingdom, it was
renamed BS 7799 and published in 1995. Initially, there was not much
acceptance due to a number of pressing IT issues, such as the coming
Y2K compliance. A major overhaul was conducted in 1999, resulting
in its being published as an ISO standard in December of 2000. ISO

BENEFITS LAW JOURNAL 63 VOL. 20, NO. 1, SPRING 2007

 An Introduction to SAS 70 Audits

17799 is a comprehensive set of controls comprising best practices

in information security. Its main intention is to serve as a reference
point for identifying a range of controls that are needed for situations
where information systems are used in industry and commerce. The
standard consists of eleven sections, as opposed to just ten in the
2000 standard editions.
FFIEC
Established in 1979, the Federal Financial Institutions Examination’s
Council (FFIEC) prescribes uniform principles and standards for the
federal examination of financial institutions. Many well-known gov-
ernmental bodies, such as the Federal Deposit Insurance Corporation
(FDIC), the Office of the Comptroller of the Currency (OCC), and
the Board of Governors of the Federal Reserve System (FRB) use
these standards for reviewing financial organizations. The FFIEC
routinely publishes information directly relating to such topics as
Systems Development Life Cycle (SDLC), Business Continuity, and
Disaster Recovery, along with guidelines for implementing general
and application controls.

DOCUMENTATION OF SAS 70 CERTIFICATION

Upon completion of a SAS 70 audit, a CPA or accounting firm will

then issue a SAS 70 Service Auditor’s Report. This report will include
a voluminous amount of data concerning a service organization, such
as the following:

Independent Service Auditor’s Report

Also named the Independent Accountant’s Report, this signed let-
ter will be presented at the beginning of the Service Auditor’s Report,
stating the opinion of the service auditor. If the SAS 70 audit con-
ducted was a Type I, the service auditor would sign-off as either an
unqualified (i.e., clean) opinion or a qualified opinion, on the report
of controls placed in operation as of a specific point in time. If the
audit conducted was a Type II, the service auditor would sign-off as
either an unqualified or qualified opinion, on the report of controls
placed in operation and tests of operating effectiveness. Great atten-
tion is given to this document by both the service organization and
user organizations.
Elements of Internal Control
Within each service organization are a number of essential internal
control components, which are examined during a SAS 70 audit. Each
control gives valuable insight into the processes and procedures within

BENEFITS LAW JOURNAL 64 VOL. 20, NO. 1, SPRING 2007

 An Introduction to SAS 70 Audits

these service organizations. Developed by COSO and known as SAS

55/SAS 78, the internal control framework consists of the following:
• Control Environment. The control environment sets the
tone of an organization and influences the control con-
sciousness of its members. It is the foundation for all other
components of internal control, providing discipline and
structure. Control environment factors include the integ-
rity, ethical values, and competence of the entity’s people;
management’s philosophy and operating style; the way
management assigns authority and responsibility and orga-
nizes and develops its people.
• Risk Assessment. Every entity faces a variety of risks from
external and internal sources that must be assessed. A pre-
condition to risk assessment is the establishment of oper-
ating objectives. Risk assessment is the identification and
analysis of risks relevant to the achievement of objectives.
This forms a basis for determining how the risks should be
managed. Because of ongoing changes in economic, regu-
latory, and operating conditions, mechanisms are needed
to identify and deal with the special risks associated with
change.
• Control Activities. Control activities are the policies and
procedures that help ensure that management directives are
carried out and that necessary actions are taken to address
risks to achieving the entity’s objectives. Control activities
operate throughout the organization, at all levels, and in
all functions. They include a range of activities as diverse
as authorizations, verifications, reconciliations, reviews of
operating performance, security of assets, and segregation
of duties.
• Information and Communication. Pertinent information
must be identified, captured, and communicated in both
a form and a timeframe that enable people to carry out
their responsibilities. Information systems produce reports
containing operations, financial, and compliance-related
information that make it possible to run and control an
operation. Such systems deal with both internally generated
data, as well as information about external events, activities,
and conditions.
• Monitoring. Internal control systems need to be monitored.
This is accomplished through ongoing monitoring activities,
separate evaluations, or a combination of the two. Ongoing

BENEFITS LAW JOURNAL 65 VOL. 20, NO. 1, SPRING 2007

 An Introduction to SAS 70 Audits

monitoring includes regular management and supervisory

activities, and other actions personnel take in performing
their duties. The scope and frequency of separate evalua-
tions depends primarily on an assessment of risks and the
effectiveness of ongoing monitoring procedures. Internal
control deficiencies should be reported to the upper opera-
tional hierarchy.
Systems Development Life Cycle and Change Management
A vital piece of a SAS 70 service auditor’s report lies within the
processes that take place throughout the different cycles. In particular,
attention is paid to the controls in the following environments and
how an organization institutes and facilitates changes within the SDLC
and the company:
• Design cycle;
• Development cycle;
• Testing cycle;
• Production cycle; and
• Maintenance cycle.
General Computer Controls
General controls are seen as the necessary framework that must be
in place for the success of application controls. General controls can
be found in the following areas:
• Logical security;
• Physical security;
• Environmental security;
• Network security; and
• Computer operations.
Application Controls
The primary function of these controls is to ensure the complete-
ness and accuracy of the records and the validity of the entries made
from both manual and programmed processing. Both Type I and
Type II SAS 70 service auditor’s reports will include a detailed exami-
nation of application controls.

BENEFITS LAW JOURNAL 66 VOL. 20, NO. 1, SPRING 2007

 An Introduction to SAS 70 Audits

Other Material
Depending on the type of SAS 70 audit being conducted, the
following additional areas may be included in the service auditor’s
report:
• Information Provided by the Service Auditor. This is
reserved for a Type II engagement and details the testing
and operating effectiveness of the control objectives and
the controls specified by the user organization.
• Information Provided by the Service Organization. This
material can be included for a Type I and Type II audit.
Generally, it may include network topography diagrams or
other types of miscellaneous materials, along with a service
organization’s business continuity and disaster recovery
policies and procedures.
• Client Control Considerations. This section illustrates the
important relationship between the service organization and
users of SAS 70 audit. It stipulates that the company requiring
the audit also has an obligation to adhere to sound internal
control policies within their own corporation.

CERTIFICATION AND RECERTIFICATION

A service auditor report is valid for one full calendar year for both
a SAS 70 Type I and a Type II audit. For example, if a service orga-
nization received a Type I service auditor’s report for reporting of
controls on July 1, 2004, then it is valid until July 1, 2005. For SAS 70
Type II service auditor’s reports, if a report was issued that covered
the period from June 1, 2004, to November 30, 2004, then the report
is valid until November 30, 2005. Depending on a service organiza-
tion’s needs and their client’s needs, testing for year two would begin
approximately six months before the report expires. This is done to
keep the SAS 70 certification valid at all times.
Traditionally, service auditor reports were used primarily as an
auditor-to-auditor document. This is dramatically changing as service
organizations are making this document available to potential clients
who are inquiring about a service organization’s internal controls.
With that said, its primary function is still a document used between
an auditor of the service organization and the auditor of a user orga-
nization, but is now incorporating a marketing element within it.
If your organization is being asked to become SAS 70 certified, then
it is highly likely that continued certification will become a require-
ment. Why? Because organizations are now just beginning to feel the
trickle-down effects of Sarbanes-Oxley and many other regulatory

BENEFITS LAW JOURNAL 67 VOL. 20, NO. 1, SPRING 2007

 An Introduction to SAS 70 Audits

provisions. In addition, user organizations that may not even fall

under regulatory requirements are pushing service organizations to
have their internal controls certified.
Lastly, now more than ever, there is a huge push within the busi-
ness community to have internal controls and related processes and
procedures certified, no matter what the cost and who the industry
is. The scope is quite enormous, and will more than likely continue
to expand at an exponential rate.

BENEFITS LAW JOURNAL 68 VOL. 20, NO. 1, SPRING 2007