What is SAS 70?

What is SAS 70?

SAS 70 is an acronym for Statement on Auditing Standard 70; it was developed and is maintained by the AICPA (American Institute of Certified Public Accountants). Specifically, SAS 70 is a "Report on the Processing of Transactions by Service Organizations" where professional standards are set up for a service auditor that audits and assesses internal controls of a service organization. At the end of the audit, the service auditor issues an important report called the "Service Auditor's Report".
SAS 70

A service organization can be defined as a business or entity that provides outsourcing services. These outsourcing services can and in most cases do impact the control environment of customers. Some of the many types of service organizations can be insurance claim processors, data centers, credit processing companies, and clearing houses.

It should be noted that SAS 70 is not a barebones checklist audit; it is an extremely thorough audit that is used chiefly as an authoritative guidance. In today's market, it is a very helpful and substantial audit that shows transparency to the businesses that a service organization works with. In addition, it shows the service organizations prospective clients that the service organization has been thoroughly checked and deemed to have satisfactory controls and safeguards either when hosting specific information or processing information such as data belonging to customers that they do business with.

SAS 70 has grown increasingly popular with the implementation of the Sarbox Act. The Sarbanes-Oxley Act (usually referred to as Sarbox or Sox) adds importance in implementing SAS 70 as an important resource to show the effectiveness of a service organization's internal controls and data security safeguards.