logo for it-outsourcing-adviser.com
Home
Disaster Recovery
Industries
Business Continuity
ITIL Insights
IT Outsourcing
News/Blog
Managed Services
Change Management
SAS 70 Savvy
About Us
Contact Us
Privacy Policy
Disclaimer
Site Map

Subscribe To Our Site News
XML RSS
Add to Google
Add to My Yahoo!
Add to My MSN
Subscribe with Bloglines
leftimage for it-outsourcing-adviser.com

SAS 70 Audit Reports
Offer Two Levels Of Detail

What are the two types of SAS 70 audit reports? What information do they contain?

There are some limitations with the way SAS 70 reports are performed and used.

SAS 70 provides the guidance that enables an independent auditor to produce an opinion on the service provider's description of its IT controls.

  • It is not meant to provide a pre-determined set of control objectives or activities that a service provider MUST achieve.
  • It is also not a "checklist" audit.
  • If a service provider is offering transaction processing, data hosting, IT infrastructure, or other such services, the client's auditor must understand the IT controls of the service provider so that he can properly plan the audit and evaluate the risks involved.
  • Service providers offering data center hosting need to maintain levels of data security, redundancy and personnel controls because they will be expected to report on firewall access, database access, data transmission, backup and recovery, application security.
  • For providers of managed services, the SAS 70 review must validate the accuracy and integrity of the managed services operations.
  • The SAS 70 evaluation is intended to cover critical benchmarks, completeness, accuracy, and stability of the service rendered by the provider.

Type I SAS 70 Audit Reports

Click here to contact us with your questions and to request your free books and executive summary of them. Protect your business. Use best practices for IT outsourcing and supplier selection.

A Type I report contains the auditor's opinion on the IT control structure and description of the IT controls implemented, basically answering some straightforward questions on structure and control:

  • Do they represent the relevant aspects of the service provider's controls that have been put in place as of this specific date?
  • Were these controls suitably designed to achieve specific control objectives?

Type II SAS 70 Audit Reports

In a Type II report, the auditor will express his opinion on the same items reviewed in the Type I report. In addition, he'll express an opinion on whether the controls being tested were operating with sufficient effectiveness to provide reasonable assurances the control objectives were achieved.

SAS 70 Audit Report Limitations

  1. Type I reports only provide a general overview of the service provider's IT control structure. A client requesting an SAS 70 report, and expecting to receive more details may only receive the Type I report, which fails to validate the control objectives thru testing.
  2. When a Type II report is requested, certain control objectives are selected and tested. However these selected objectives may not be sufficient to provide adequate assurance regarding the company's critical IT controls.
  3. Other times the right control objectives are selected, but the testing process is not thorough enough for a reliable opinion to be provided regarding these essential IT controls.
  4. If the reports have been produced a while ago, they'll likely be limited in scope as compared to regulatory requirements.
  5. Although the American Institute of Certified Public Accountants (AICPA) continue to provide auditing standards and guidance for SAS 70 audit reports, there is still a lack of detailed guidance which leads to inadequate testing of some critical IT controls.

The key to resolving these issues is to ensure the auditors assigned are knowledgeable in your business as well as being experts in information technology.

One Final Point

IT is the primary source of risks that includes poor change management, ineffective controls, missed opportunities, excessive costs. The more a company relies on IT, the greater the risk IT will represent to the company.

IT has become an executive management responsibility. Therefore IT Governance means that IT management is becoming partners with executive management in other areas of the company, such as Finance, HR, and Operations to provide technology that will solve business problems.

IT is now involved in all strategic planning and operational management therefore it requires strong leadership combined with great business skills.

Other Useful Resources

You want to follow the best business practices in managing IT project outsourcing and in finding the right IT outsourcing provider. So to help you in this quest, we have a special offer of professional help

Our offer is a serious one. First of all, you'll find that while the site information is exhaustive, it appears in a brief, easy-to-read, often bulleted, executive style.

You won't get bogged down in details while browsing this site, but we DO have extensive in-depth information for you if you want or need it. It's free and all you have to do is ask!

Start right now by going to the Contact Us page and completing the simple online form. You'll receive immediate access to two authoritative industry books, which our site sponsor will mail to you at no cost.

As a thank you for participating in our site, you'll also receive a bonus download of "15 Interview Questions To Ask IT Outsourcing Providers".

Return to the "SAS 70 Compliance" page from
this "SAS 70 Audit" page.

© IT Outsourcing Adviser
Contact Us