Statement on Auditing Standards No. 70 (SAS 70) was developed by the AICPA to signify that a service organization has been through an in-depth audit of their control processes. SAS 70 is the authoritative guidance that allows service organizations to disclose their control activities and processes to their customers and the customers' auditors in a uniform reporting format. The examination signifies that a service organization has had its control objectives and control activities examined by an independent accounting and auditing firm. SAS 70 is generally applicable when we are auditing the financial statements of an entity or organization that obtains services from another service organization.

SJU performs Type I and Type II SAS 70's to a variety of service organizations such as payment processors, application service providers, bank trust departments, claims processing centers, Internet data centers, or other data processing service bureaus.

What are the differences between a Type I and Type II SAS 70?

A Type I SAS 70 encompasses a service auditor's report on a service organization's contols as it relates to an audit of financial statements or specific control objectives relevant to the service organization. A Type I report determines whether such controls were placed in operation as of a specified date in time.

A Type II SAS 70 encompasses a service auditor's report on a service organization's controls as it relates to an audit of financial statements or specific control objectives relevant to the service organization. A Type II report determines whether the controls were in place, tested and operating with sufficient effectiveness to provide reasonable assurance that the related control objectives were achieved during a specified period of time, usually 6 or 12 months.

To learn more, please visit our SAS 70 FAQ.