What is a SAS 70 and when is it applicable?
SAS 70 is an auditing standard designed to enable an independent auditor to evaluate and issue an opinion on a service organization's controls. The audit contains the auditor's opinion, a description of the controls placed in operation, and description of the auditor's tests of operating effectiveness. The audit report can be shared with the service organization's customers and their respective auditors. The service organization is responsible for describing its control objectives and control activities that would be of interest to user organizations and the respective user auditors. SAS 70 is not a pre-determined set of standards that a service organization must meet to "pass".

What are the benefits of a SAS 70 audit?
SAS 70 certification has many advantages, such as illustrating to your clients that internal controls within your organization are in place and working as designed. Furthermore, SAS 70 audits allow corporations to distinguish themselves from the competition by using the document as a marketing tool. In essence, it allows the corporation who obtained a SAS 70 audit to show outside parties that their internal controls are operating effectively for a stated period.

How does a SAS 70 affect normal operations of an organization during the audit process?
Many organizations express concern over the time and resources needed to conduct a SAS 70 audit, particularly when the scope includes observing and ultimately testing a large number of controls throughout many areas of a company. Sparrow, Johnson & Ursillo, Inc. is sensitive to these concerns, and thus, strives to conduct SAS 70 engagements with efficiency and effectiveness. We schedule different phases of the audit to accommodate your most valuable resources-your employees and your time.

What is the difference between a Type I and a Type II SAS 70?
Type I SAS 70 encompasses a service auditor's report on a service organization's controls as it relates to an audit of financial statements or specific control objectives relevant to the service organization. A Type I report determines whether such controls were placed in operation as of a specified date in time.

A Type II SAS 70 encompasses a service auditor's report on a service organization's controls as it relates to an audit of financial statements or specific control objectives relevant to the service organization. A Type II report determines whether the controls were in place, tested and operating with sufficient effectiveness to provide reasonable assurance that the related control objectives were achieved during a specified period of time, usually 6 or 12 months.

What information is contained in a SAS 70 report?
Sparrow, Johnson & Ursillo, Inc. SAS 70 reports (Service Auditor's Reports) are generally divided into four sections depending on the type of engagement performed. This format is in a Type I SAS 70 report. The format of the report is flexible, but will always contain the independent service auditors report and the service organizations description of controls.

A Type II SAS 70 report will always contain the independent service auditors report and the service organizations description of controls, information provided by the independent service auditor; which includes a description of the service auditor's tests of operating effectiveness and the results of those tests.

Optional for both a Type I and Type II SAS 70 report is information provided by the service organization as in plans for enhancing its systems. This is not covered by the service auditors opinion in the report.