11.  Is there a baseline standard for how a service organization should disclose its controls?

Yes and No.  Service organizations are permitted to disclose their control objectives and activities in any manner they see fit.  However, for a SAS 70 audit engagement to be of maximum benefit to the user organizations (i.e. customers) and their auditors, the service organization should disclose their controls in a manner that satisfies the user auditor's requirements.  To do this, the service organization's description of controls should address five key components of internal control as defined in SAS No. 55, Consideration of Internal Control in a Financial Statement Audit:

1. Control Environment sets the tone of an organization, influencing the control consciousness of its people.  The control environment is the foundation for all other components of internal control, providing discipline and structure.
2. Risk Assessment is the entity's identification and analysis of relevant risks to the achievement of its objectives, forming a basis for determining how the risks should be managed.
3. Control Activities are the policies and procedures that help ensure that management directives are carried out.
4. Information and Communication are the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities.
5. Monitoring is the process that assesses the quality of internal control performance over time.

If you need further information, feel free to send an e-mail to: info@sas70.com.