SAS70
Carpathia Hosting holds a TypeII SAS70
Statement on Auditing Standards No. 70 - Set up by the American Institute of Certified Public Accountants in 1993, SAS 70 spells out how an external auditor should assess the internal controls of an outsourcing service provider and issue an attestation report to outside parties or to a client.
Under SAS 70, an outsourcing-service provider undergoes an audit, performed either by its own independent auditor or by the auditors of its outsourcing clients.
What is the difference between SAS70 Type I and Type II?
There are two types of service-auditor reports:
- Type I includes the service auditor's opinion on the fairness of the presentation of the provider's description of its controls and how well they're designed to meet specified control objectives.
- Type II, generally preferred for their greater depth, includes the same data as Type I as well as the auditor's opinion on the effectiveness of the controls during the period under review.
How does SAS70 differ from ISO 9000?
SAS 70 is an auditing standard designed to enable an independent auditor to evaluate and issue an opinion on a service organization's controls. The audit report (i.e. the service auditor's report) contains the auditor's opinion, a description of the controls placed in operation, and description of the auditor's tests of operating effectiveness (if the report is a Type II). The audit report can be shared with the service organization's customers ("user organizations") and their respective auditors ("user auditors"). The service organization is responsible for describing its control objectives and control activities that would be of interest to user organizations and the respective user auditors.
SAS 70 is not a pre-determined set of standards that a service organization must meet to "pass".
ISO is the International Organization for Standardization. It is made up of some 140 national standards institutes from countries large and small in all regions of the world. ISO develops voluntary technical standards that serve to safeguard consumers and general users of products and services.
ISO 9000 is a family of standards that addresses quality management systems within an organization. When an organization has a management system certified to an ISO 9000 standard, this means an independent auditor has checked that the processes influencing quality conform to the relevant standard's requirements. The primary objective is to give the organization's management and its customers confidence that the organization is in control of the way it does things. An organization that engages an independent auditor or certification body to check their processes receives a certificate of conformity from the auditor/certification body.
ISO 9000 lays down what requirements an organization's quality system must meet, but the standards do not dictate how they should be met.
Does Sarbanes-Oxley have anything to do with SAS70?
Yes, they are related under certain circumstances.
Sarbanes-Oxley Act of 2002 was issued in the wake of a series of corporate financial scandals, including those affecting Enron and WorldCom. The Act applies to all companies that are required to file periodic reports with the SEC and contains a number of significant changes relating to the responsibilities of directors and officers and the reporting and corporate governance obligations of SEC-reporting companies. Major sections of the Act deal with:
- Corporate Disclosure and Governance
- Insider Accountability and Disclosure Obligations
- Auditor Independence
- Sanctions for Criminal and Civil Wrongdoing
- Analyst and Attorney Matters
The Act specifies several requirements that include management's quarterly certification of their financial results and management's annual assertion that internal controls over financial reporting are effective (Section 404). In the case of Section 404, the independent auditor of the organization is required to opine on management's assertion over internal control in addition to the auditor's opinion on the fair presentation of the organization's financial statements. This additional testing of management's assertion is referred to an attestation examination.
For a free initial consultation contact our Sales Office today.
