This document discusses Statement on Auditing Standards (SAS) No. 70 and how it relates to Sarbanes-Oxley compliance for service organizations. It defines SAS 70 Type I and Type II reports, noting that Type II reports include testing of operational effectiveness over time. A SAS 70 Type II audit demonstrates that a service organization's controls were suitably designed and operating effectively to meet customer needs. Completing this audit provides assurance to customers that can help meet their Sarbanes-Oxley Section 404 requirements for internal controls reporting.

1. EBSL
IT Operations
EBSL Technologies Int'l
www.ebsltechnologies.com
internal consultant training
SAS 70
Presented by
Jon CRG Shende FBCS CITP
Director IT Services

2. EBSL
SAS 70
Statement of Auditing Standards 70 (SAS 70) is an
internationally recognized auditing standard developed and
adopted as a standard in 1992 by the American Institute of
Certified Public Accountants (AICPA)
Currently there are two types of SAS 70 reports termed
SAS 70 Type I & SAS 70 Type II
2

3. EBSL
SAS 70
SAS 70 is designated by the U.S. Securities and Exchange
Commission (SEC) as an acceptable method for a user
organization's management to obtain assurance about service
organization's internal controls without conducting separate
assessments
3

4. EBSL
SAS 70 Type I
This report includes the service auditor's opinion
The opinion covers
•
fairness of the presentation of the service organization's
description of controls placed into operation &
•
the functionality of the controls to achieve the specified control
objectives
4

5. EBSL
SAS 70 Type II
This report includes the information contained in a Type I service
auditor's report as well as the service auditor's opinion regarding
the operational effectiveness of specific controls during the
period under review
Our Focus in this session will be on the
•
SAS 70 -Type II report
5

6. EBSL
Importance of SAS 70
A SAS 70 audit performed annually, independently verifies the
validity and functionality of a data center's control activities and
processes.
These control activities and processes are especially important to
any entity that must validate the security of financial and
sensitive information controls e.g. healthcare, insurance and
financial institutions and any publicly traded company
6

7. EBSL
SAS 7O & Sarbanes Oxley 1
SOX 404 focuses on processes comprising an organization's
financial reporting process, where management document and
evaluate all controls
Controls must be significant to the financial reporting processes
Evaluations are conducted during an annual assessment on the
effectiveness of internal controls
7

8. EBSL
SAS 7O & Sarbanes-Oxley 2
Services Providers/Vendors
For service providers that process transactions, host data, or
provide other services
Management may
evaluate the design &
test the operating effectiveness of the service organization's
controls
8

9. EBSL
SAS 7O & Sarbanes Oxley 3
Conclusion
SAS No. 70 Type II meets the requirements of Section 404 of
the Sarbanes-Oxley Act of 2002
Regarding SOX 404
SAS 70 audit reports are important to the process of reporting on
the effectiveness of internal control over financial reporting
9

10. EBSL
SAS 70 Type II Audit
This audit includes examination of controls implemented in
operation and testing of operating effectiveness
Testing of controls has a minimum period of at least 6 months
Testing conducted in predetermined time-frames during this
time
Testing is conducted in a manner that mitigates business
interruption of an type
10

11. EBSL
SAS 70 Type II Audit
Designated test period are determined by
external auditor requirements may change testing time
e.g shortened to 4 months or increased to 10 months
user organization demands
service organization financial and operational concerns
11

12. EBSL
SAS 70 Type II Audit
Organizations can obtain Type II compliance can by undergoing a
Type I audit, then moving towards Type II compliance for following
years
However specific factors may dictate an immediate move towards
obtaining Type II compliance from the start
12

13. EBSL
Resources
•
http://www.sec.gov/rules/final/33-8238.htm
•
http://sas70.com/sas70_SOX404.html
•
http://sas70.com/index.html
13