SAS 70 Simplified

Service organizations must demonstrate that they have adequate controls and safeguards for hosting or processing their customers’ data. Statement on Auditing Standards No. 70 (SAS 70) provides guidance to auditors when assessing a service organization’s control over activities and processes, and discloses this information to their customers in a formatted report, helping to establish trust. SAS 70 audits are required to follow AICPA’s fieldwork, quality control, and reporting standards. There is no specific list of authorized SAS 70 service audit providers. However, SAS 70 audits can only be performed by independent licensed public accountants (CPAs) or firms. These firms must follow specific professional standards established by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA), and must also undergo peer reviews. When seeking an audit firm for a SAS 70 audit, some factors to consider are previous SAS 70 audit experience, relevant industry experience, and project management skills. Any organization providing transaction processing, data hosting, IT infrastructure, or data processing services should be SAS 70 compliant. When evaluating Cloud providers, this label will help your business evaluate control and risk.