SAS 70 Type II – Should you care?
In technology and certainly in government we seem to live by an alphabet soup of acronyms. Often times these names take on a life of their own and people don’t even remember what they stand for and why they are important. A great example is HIPAA (or as some people refer to it, HIPPA). People will tell you vaguely it is regarding health care information and that is very often good enough. So what does complying with HIPAA mean? Well that is for another article, but another example is the SAS 70, Type II. We see this one all the time. Is a type 70 better than a type 69? Would a SAS type 71 better than a 70? Is there a type 69 or 70? Do you even care? What about Type II versus Type I? What is the difference?
Lets start with some basics for those of you reading this and too ashamed to admit that you have no idea about the answers to these questions. I found an excellent site called SAS70.com (surprise). Here are some definitions:
Statement on Auditing Standards (SAS) No. 70, Service Organizations, is a widely recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA). A service auditor's examination performed in accordance with SAS No. 70 ("SAS 70 Audit") is widely recognized, because it represents that a service organization has been through an in-depth audit of their control objectives and control activities, which often include controls over information technology and related processes. In today's global economy, service organizations or service providers must demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers. In addition, the requirements of Section 404 of the Sarbanes-Oxley Act of 2002 make SAS 70 audit reports even more important to the process of reporting on the effectiveness of internal control over financial reporting.
SAS No. 70 is the authoritative guidance that allows service organizations to disclose their control activities and processes to their customers and their customers' auditors in a uniform reporting format. The issuance of a service auditor's report prepared in accordance with SAS No. 70 signifies that a service organization has had its control objectives and control activities examined by an independent accounting and auditing firm. The service auditor's report, which includes the service auditor's opinion, is issued to the service organization at the conclusion of a SAS 70 examination.
Service Auditor's Reports
One of the most effective ways a service organization can communicate information about its controls is through a Service Auditor's Report. There are two types of Service Auditor's Reports: Type I and Type II.A Type I report describes the service organization's description of controls at a specific point in time (e.g. June 30, 2003). A Type II report not only includes the service organization's description of controls, but also includes detailed testing of the service organization's controls over a minimum six month period (e.g. January 1, 2003 to June 30, 2003). In a Type I report, the service auditor will express an opinion on (1) whether the service organization's description of its controls presents fairly, in all material respects, the relevant aspects of the service organization's controls that had been placed in operation as of a specific date, and (2) whether the controls were suitably designed to achieve specified control objectives.
In a Type II report, the service auditor will express an opinion on the same items noted above in a Type I report, and (3) whether the controls that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives were achieved during the period specified.
That is a great start. In the next article in this series we will examine why its important to you.
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=903d05b6-93e3-4a5c-87f1-b166968304ef)
Comments