SAS 70 2723

  • Our company currently uses SAS 70s. However, we would like more information on guidelines of when to use them. What is the criteria/framework when a SAS 70 is considered necessary or even required?

  • Have you already had a look at the statement on auditing standard no. 70 (i.e. SAS 70) itself at Resources/Accounting and Auditing/Audit and Attest Standards/Authoritative Standards and Related Guidance for Non-Issuers/auditing_standards.htm ?
    Are you a company that has outsourced certain services that produce information that goes into your financial statements (i.e. a user organization) or do you provide outsourcing services to others (i.e. a service organization)?
    If you are a user organization, the need for a SAS 70 report on the internal controls over the service at the service organization depends on the materiality of the information produced by the service in relation to your consolidated financial statements and on your assessment of the risk of a material missstatement of that information. Outsourced payroll services is an example of a service that is usually material in relation to the financial statements.
    Didn’t you ask the same question on the IIA’s discussion forum?

  • I think SAS70 is being reviewed and will be replaced shortly. The draft of the standard that would be replacing the SAS70 is available on the AICPA website

  • Hi - As gmerkl shares, SAS-70 is most useful when you contract for IT services from another organization . This certification helps ensure the servicing firm for your organization has solid physical security controls and follows many of the best security practices.
    As with all certifications, it’s not an absolute guarantee of safety or security , but helps ensures the company you are doing business with has passed many of the stringent tests SAS70 auditors conduct.
    These links below might also help:

  • Hello everybody,
    I am junior on the it security i have no background info but i am investigating sas70 audit and i need a document list which has to be provide for type 2 audit. General checkpoints are Information Security
    ’ Physical security
    ’ Data security
    ’ Compliance
    Change Management
    Disaster Recovery Plans etc
    Do you know the what kind of documents and formats which we need to prepare for sas 70?

Log in to reply