Many service organizations depend upon the integrity of their information technology environment in order to serve and protect their customers and their business. Many organizations find that having a SAS 70 report may result in benefits including:
- Increased client and customer confidence
- Enhanced risk management
- Improved competitive advantage
- Streamlined business processes and controls
What is a SAS 70 Report?
A SAS 70 report is designed to provide information and assurance about controls within a service organization to user organizations (its clients) and their auditors.
There are two types of SAS 70 reports:
- Type I: provides an opinion as to whether the controls described by the service organization were suitably designed to achieve objectives and whether they have been placed in operation as of a specific date.
- Type II: provides an opinion on the two items noted in the Type I report plus whether the controls described by the service organization were operating effectively throughout a specified period of time, normally six to twelve months, as tested by the service auditor.
Since the Type II report includes testing performed to verify the operational effectiveness of the controls over time, it is more valuable to user organizations and their auditors.