Meet your evolving needs with three integrated business lines in one professional services firm.

Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor.


Find answers to the mostly commonly asked questions about SAS No. 70, Service Organizations (often referred to as SAS 70), which has been replaced by SSAE 16.

Reducing risk

Frequently Asked Questions About SAS 70 (Now SSAE 16)

  • Mark Eich

Find answers to the mostly commonly asked questions about SAS 70, which has been replaced by SSAE 16.

What is SAS 70?

The acronym "SAS" stands for Statement on Auditing Standards, and was developed by the American Institute of Certified Public Accountants (AICPA). CPA firms must follow the rules set forth by the AICPA when conducting an audit of a company’s financial statements.

SAS No. 70, Service Organizations (often referred to as SAS 70) contains the rules for conducting an audit of a service organization’s internal controls and issuing a service auditor’s report. Service auditors are required to follow these rules when conducting a SAS 70 audit.

The primary objective of the service auditor’s report (auditor’s opinion) is to provide the reader with information about the internal controls and security practices at a service organization. The role of the CPA firm (service auditor) is to perform tests in order to provide independent assurance about the accuracy and adequacy of that description of controls.

There are two types of service auditor’s reports:

  • Type I (reports on controls in operation)
  • Type II (reports on controls in operation and tests of operating effectiveness)

Back to top

Why has SSAE 16 replaced SAS 70?

In an effort to move toward international accounting standards, the AICPA issued Statement of Standards for Attestation Engagements 16 (SSAE 16) in April 2010. It replaces SAS 70, making SSAE 16 the de facto standard for reporting on internal controls at service organizations. SSAE 16 is designed to closely mirror International Standard on Assurance Engagements 3402 (ISAE 3402).

It is intended to provide user organizations and their auditors improved assurance about the reliability of controls throughout the reporting period. The new reporting is required for all service organization control reports with periods ending June 15, 2011, or later.

Back to top

What are the differences between the Type I and Type II Service Auditor’s Reports?

The key distinction between the two types of SAS 70 reports is the level of testing, and therefore, the level of assurance the SAS 70 report provides. The auditor’s report is directed at the description of controls provided by the service organization. In a Type I report, the auditor’s opinion states that the description is reasonably accurate, the controls described are suitably designed to achieve specified control objectives, and the controls have been implemented as of a specified date. This opinion is therefore a “point-in-time” opinion.

The Type II report offers more assurance because, in addition to stating that the description is reasonably accurate, the controls described are suitably designed to achieve specified control objectives, and the controls have been implemented. The auditor’s opinion also states that the controls described operated effectively over a specified period of time. The time period is typically six months to a year. Obviously, the marketplace greatly prefers the increased level of assurance offered in a Type II report.

Back to top

What is a service organization?

Service organizations are otherwise known as outsourced data centers. They are organizations hired by another entity to process transactions and data, which are usually confidential. Service organizations are part of the users’ internal control. Examples include companies that perform services in the following areas:

  • Accounting
  • Benefits
  • Billing
  • Clearing house
  • Collection
  • Finance
  • Insurance
  • Investment
  • Information technology (IT)
  • Market research
  • Payroll

Back to top

What is the history of SAS 70?

The AICPA established SAS 70 in response to a huge market shift toward outsourcing data processing. This shift put a significant portion of a company’s internal controls into the hands of the service organization they hired to process their transactions. Service organizations found themselves responding to multiple audit requests from their clients and their respective auditors, which strained their resources.

SAS 70 eliminated the request for nonstop audits because one audit firm can now audit the internal controls. The auditors for the service organization’s customers (the user organization) can rely on this single audit.

Back to top

How is SAS 70 related to Sarbanes-Oxley?

After several public companies were charged with fraud and negligence, the Sarbanes-Oxley Act of 2002 (SOX) was implemented. Section 404 of SOX requires independent auditors to assess and express an opinion on the effectiveness of its clients’ internal controls over financial reporting, including service organization controls.

Internal controls are the safeguards companies apply to ensure that financial reporting is reasonably accurate and free of significant misstatements, errors, and fraud. They include business process controls and IT security practices.

Many public companies outsource functions of their business to third parties (service organizations). Frequently those functions constitute a key element of the financial reporting process. Therefore, the service organization must be included in the SOX 404 assessment.

Back to top

What industries are requesting SAS 70 services?

Since the downfall of Enron, there has been an outcry for more sound governance practices. The impact of SOX has resulted in pressures on service organizations to obtain a SAS 70 audit. Any organization (large or small, for-profit or nonprofit) that has a financial statement audit and uses a service organization could benefit from obtaining a SAS 70 report for their service auditor. If applied correctly, the report shows evidence of financial reporting controls and the safeguarding of confidential information.

Many industries are now requiring vendors to obtain SAS 70 audits, including financial service companies, construction and real estate, dealership, health care, insurance, nonprofit, government, manufacturing and distribution, and trucking and transportation.

Not only has SOX affected the banking and health care industries, but lately these industries have received a lot of negative attention for being targets of cyber thieves who use their confidential data for fraud and identity theft. Naturally, the regulatory environment is becoming stricter. Those with fiduciary responsibilities must take their roles very seriously and establish the policies necessary to mitigate risks.

Alarmed by the growing number of data and identity thefts, banking and health care regulators are focusing on vendor management. Financial institutions and health care providers are required to know more about the security and privacy practices of the companies they are outsourcing business functions to (service organizations).

Many regulations have been implemented to address the threats to banking and health care data and information system vulnerabilities. And the government is following up to make sure organizations are in compliance. For example, the Centers for Medicare & Medicaid Services (CMS) plans to conduct security audits in 2008 to check for compliance with the Health Insurance Portability and Accountability Act (HIPAA) of 1996.

Back to top

What are the benefits of SAS 70 to a service organization?

Service organizations receive significant value from the performance of a SAS 70 engagement:

  • A SAS 70 audit provides assurance for SOX, bank regulators, HIPAA, user organizations, and more.
  • Often the SAS 70 engagement identifies opportunities for improvements in operational areas. SAS 70 can dramatically improve your internal control — resulting in minimized risk of error, irregularities, and fraud.
  • A SAS 70 audit with an unqualified opinion can be used as a marketing tool to show potential customers you are committed to the development of sound internal safeguards and business practices. SAS 70 can differentiate you from your peers.
  • Without a service auditor’s report, service organizations may have to respond to multiple audit requests from their clients and their respective auditors, which will strain resources. A SAS 70 report will ensure that all user organizations and their auditors have access to the same information and in many cases will satisfy the user auditor’s requirements.

Back to top

What are the benefits of SAS 70 to a user organization?

User organizations that obtain a service auditor’s report receive a detailed description of the service organization's controls and an independent assessment of whether the controls were placed in operation, suitably designed, and operating effectively (in the case of a Type II report). User auditors will use this information when obtaining a sufficient understanding of controls to assess the risk of material misstatement of the financial statements.

User organizations should provide a service auditor's report to their auditors. This will help plan the audit of the user organization's financial statements. Without this report, the user organization would likely incur additional costs sending their auditors to the service organization to perform their required procedures.

Back to top

What types of organizations provide SAS 70 services?

Only an independent, licensed CPA firm can conduct SAS 70 audit services, and when doing so they are required to follow the professional standards developed by the AICPA.

Final reports must be reviewed and issued by a licensed CPA; however, public accounting firms are permitted to utilize the skills of non-CPA professionals as part of the SAS 70 engagement team. Typically, non-CPA professionals are relied upon for their specialized information security certifications.

Back to top

What should a service organization look for in a service auditor?

Any CPA firm can offer SAS 70 audit services; however, service organizations should seek out firms with SAS 70 experience and the staff to provide the services. Look for personnel with a combination of accounting, auditing, and information security credentials including Microsoft Certified Professional (MCP), Citrix Certified Administrator (CCA), Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), and CPA.

Back to top

Where do service organizations begin if they’ve never had a SAS 70 audit?

Service organizations that have never had a SAS 70 audit usually start off with a pre-assessment consulting engagement. The pre-assessment is designed to determine whether the existing control environment is robust enough to pass the suitably designed component of the auditor’s opinion.

Two key components of the pre-assessment include documenting descriptions of the internal controls and identifying control deficiencies. Since many organizations lack extensive written policies and procedures, this is not a trivial task and is typically the most time consuming and expensive part of the SAS 70 audit.

Service organizations with a control framework have an advantage because in many cases, it provides the process and documentation necessary to minimize the effort often required in the pre-assessment phase. (Refer to What are the benefits of a control framework? for more details.)

Back to top

What is included in a typical first-time SAS 70 project?

If a service organization has never had a SAS 70 audit, the first-time project would include:

  • Pre-assessment (Refer to Where do service organizations begin if they’ve never had a SAS 70 audit? for more details.)
    • Identify control objectives
    • Obtain a description of controls relevant to achieving objectives
    • Assess the accuracy of the description of the controls
    • Identify gaps
    • Develop a gap remediation strategy
    • Develop a written description of controls
  • Remediation
    • Institute improved controls to address gaps identified in the pre-assessment
  • SAS 70 audit
    • Type I or II

Back to top

What are the benefits of a control framework?

A control framework helps develop the control objectives. In many cases, it provides the process and control documentation necessary to minimize the effort required in the pre-assessment phase.

A framework also provides the users of the SAS 70 report a reliable, repeatable method to objectively measure the controls put in place by the service organization. By comparing the control objectives and activities reported by the service organization to those contained in the framework, the users can get an improved sense for the completeness of controls reported.

Back to top

Do you recommend the COSO, COBIT, or ISO 17799 framework?

There are three widely recognized and distributed control frameworks:

CliftonLarsonAllen believes the COBIT framework is the most useful control framework for SAS 70 reporting. COBIT’s framework maps well to COSO, and public accounting firms that audit the financial statements of public companies understand it. For these reasons, using COBIT for SAS 70 assessments is especially useful for the internal control reporting requirements contained in SOX 404.

Back to top

What is SAS 70 certification?

Technically, there is no such thing as a SAS 70 certification because a SAS 70 audit states an auditor’s opinion on a service organization’s internal controls and security practices for a specific period of time. However, it’s common in the marketplace to refer to a SAS 70 audit as SAS 70 certification.

Back to top

How often should SAS 70 audits be performed?

A service auditor’s report is typically valid for 6 months to one year from the date it’s issued. The majority of service organizations that engage service auditors to conduct SAS 70 audits have them done on an annual basis.

Back to top

How are SAS 70 audit reports distributed?

The distribution of a SAS 70 report is usually restricted. The plan for distributing the SAS 70 audit report should be formally agreed upon in the engagement letter between the service organization and the service auditor. Service auditor’s reports are generally distributed in three ways:

  • A service auditor will distribute a service auditor’s report to the audited service organization at the close of a SAS 70 audit.
  • The service organization will provide copies of the service auditor’s report to their customers (the organizations that hired them to outsource business functions) who are required to show their auditors the SAS 70 report.
  • The service organization will likely use the service auditor’s report as a marketing tool to differentiate its organization from the competition.

Back to top

How can service organizations use SAS 70 as a marketing tool?

A SAS 70 audit with an unqualified opinion can be used as a marketing tool. Some service organizations are marketing their audits in proposals, email signatures, press releases, website materials, direct mail, giveaways, brochures, etc.

Mark Eich, Partner-in-Charge, Information Security Services or 612-397-3128