1. What are the differences between SAS 70 and the ISO 9000 family of standards?
Service organizations that contemplate obtaining a SAS 70 audit often inquire about obtaining independent certification against one of the ISO 9000 standards.
SAS 70 is an auditing standard designed to enable an independent auditor to evaluate and issue an opinion on a service organization's controls. The audit report (i.e. the service auditor's report) contains the auditor's opinion, a description of the controls placed in operation, and description of the auditor's tests of operating effectiveness (if the report is a Type II). The audit report can be shared with the service organization's customers ("user organizations") and their respective auditors ("user auditors"). The service organization is responsible for describing its control objectives and control activities that would be of interest to user organizations and the respective user auditors.
SAS 70 is not a pre-determined set of standards that a service organization must meet to "pass".
ISO is the International Organization for Standardization. It is made up of some 140 national standards institutes from countries large and small in all regions of the world. ISO develops voluntary technical standards which serve to safeguard consumers and general users of products and services.
ISO 9000 is a family of standards that addresses quality management systems within an organization. When an organization has a management system certified to an ISO 9000 standard, this means an independent auditor has checked that the processes influencing quality conform to the relevant standard's requirements. The primary objective is to give the organization's management and its customers confidence that the organization is in control of the way it does things. An organization that engages an independent auditor or certification body to check their processes receives a certificate of conformity from the auditor/certification body.
ISO 9000 lays down what requirements
an organization's quality system must meet, but the standards do not dictate
how they should be met. Revisions to the ISO 9000 family of standards
occurred in late 2000 to reduce the number of standards; provide more explicit
requirements for achieving customer satisfaction and continual improvement;
provide a more logical structure; and the provide the definition of eight
universal quality management principles. Effective, December
15, 2000, the ISO 9000 standards were revised as follows:
| ISO 9000:2000, Quality management systems - Fundamentals and vocabulary | Establishes a starting point for understanding the standards and defines the fundamental terms and definitions used in the ISO 9000 family. |
| ISO 9001:2000, Quality management systems - Requirements | Revised to include concepts from the former ISO 9001, 9002, and 9003 standards. The standard now has five key sections: Product realization; Quality management system; Management responsibility; Resource management; and Measurement, analysis and improvement. It is now the only standard in the ISO 9000 family against which third-party certification can be performed and carried. |
| ISO 9004:2000, Quality management systems - Guidelines for performance improvements | This guideline standard provides guidance for continual improvement in a quality management system to benefit all parties through sustained customer satisfaction. |
To better compare elements of SAS 70
and ISO 9001:2000, we have prepared the following table:
|
|
|
|
| Who develops the standards? | American Institute of Certified Public Accountants (AICPA) | International Standards Organization (ISO) |
| Who can perform the audit or certification? | A certified public accounting firm with the appropriate skill set. | Any firm that has been authorized by the ISO to certify. |
| What is the final deliverable resulting from the audit or certification? | A service auditor's report containing the audit opinion, the organization's description of controls, and a description of the auditor's tests of operating effectiveness. | A certificate of conformity from the auditor or certification body. |
| Can this type of engagement satisfy the customer's external financial audit requirements? | Yes, usually. | No. |
| Can the evaluation criteria be customized? | Yes, the service organization is responsible for describing the controls that will be disclosed in the service auditor's report. | No. |
| What areas of the organization's processes are generally covered in this type of engagement? | Control environment, control activities, risk assessment processes, information and communication processes, and monitoring processes. | Quality Management processes |
| What types of controls are generally evaluated and tested in this type of engagement? | Organizational controls, application development and maintenance controls, logical security and access controls, application controls, system maintenance controls, data processing controls and business continuity controls. | None. |
| Are the results of the auditor's procedures disclosed at the conclusion of the engagement? | Yes, in a Type II engagement. | No. |
| Are findings and recommendations presented to the organization as part of the engagement? | Yes, usually. | Optional. |
If you need further information, feel free to send an e-mail to: info@sas70.com.