Changes to SAS 70 Auditing Standard

Posted on 03.05.12

This blog is a re-posting from June 2010

SAS 70 is an auditing standard put forth by the AICPA that is utilized by auditors for examining internal controls in service organizations. Service organizations include: business process outsourcing (payroll, general accounting), data centers, outsourced IT functions, software providers, claim processors, benefit plan administrators, trust administrators, investment advisors, and billing and collections companies.

As part of its project to converge with International Auditing and Assurance Standards Board (IAASB) standards, the AICPA issued SSAE No. 16, which will be effective for reporting periods on or after June 15, 2010.

The new standards include a number of changes for both auditors and companies obtaining SAS 70 audit reports. Two changes that service organizations should be aware of include:

  • The auditor will be required to document the criteria used when auditing a service providers internal controls.
  • The company will be required to provide a written assertion on the subject matter of the engagement.

If you are a service provider with questions on internal control reports or SAS 70 reports, please feel free to contact Scott McAuliffe, Keiter's Partner in charge of Risk Advisory Services, at 804-273-6247 or smcauliffe (at) keitercpa (dot) com.

Posted by: Scott M. McAuliffe, CPA, CISA, CFE

Scott leads the Firm’s Risk Advisory Services practice, which focuses on providing cybersecurity services, internal audits, information technology audits, Service Organization Control (SOC) audits, and Sarbanes-Oxley assistance. Scott focuses on providing his clients with cost effective solutions to build strong, efficient internal control systems/practices that support their strategic objectives. Read more of Scott’s insights on our blog.