What is SAS 70?
SAS 70 is an acronym for Statement on Auditing Standard 70; it was developed and is maintained by the AICPA (American Institute of Certified Public Accountants). Specifically, SAS 70 is a "Report on the Processing of Transactions by Service Organizations" where professional standards are set up for a service auditor that audits and assesses internal controls of a service organization. At the end of the audit, the service auditor issues an important report called the "Service Auditor's Report".
It should be noted that SAS 70 is not a barebones checklist audit; it is an extremely thorough audit that is used chiefly as an authoritative guidance. In today's market, it is a very helpful and substantial audit that shows transparency to the businesses that a service organization works with. In addition, it shows the service organizations prospective clients that the service organization has been thoroughly checked and deemed to have satisfactory controls and safeguards either when hosting specific information or processing information such as data belonging to customers that they do business with.
The Two Types of SAS70 Reports
It should be noted that there are two different types of SAS 70 reports. The first type commonly referred to as Type I includes an opinion written by the service auditor. Type I reports describe the degree in which the service organization fairly represent its services in regards to controls that have been implemented in operations and its inherent design to achieve objectives set forth.
Type II reports are similar to Type I, however an additional section is added, the additional section includes the service auditor's opinion on how effective controls operated under the defined period during the review (usually the defined period is six month, but can be longer).
There is a substantial difference between the Type I and Type II reports. Type II reports are more thorough, because the auditors gives an opinion on how effective the controls operated under the defined period of the review. Type I only lists the controls, but Type II tests the efficacy of these controls to reasonably assure that they are working correctly.