2.  Who can perform a SAS 70 audit?  What should the service organization look for?

A SAS 70 audit can only be performed by an independent certified public accountant (CPA) or firm.  CPA firms that perform SAS 70 audits must adhere to specific professional standards established by the American Institute of Certified Public Accountants (AICPA).   Licensed public accounting firms are required to follow specific guidance related to planning, execution, and supervision of the audit procedures and the reporting of the results of the audit.  In addition, public accounting firms are required to undergo a peer review to ensure that their firm's audits are conducted in accordance with the applicable professional standards.  Specific practicing requirements may vary depending on the requirements of the applicable State Board and/or other governing bodies.

The CPA firm, of course, may employ non-CPA professionals that have relevant business process, information technology, or security skills to participate in a SAS 70 engagement.  However, the final report must be reviewed and issued by a CPA.  This is particularly important if a user organization's auditors plan to rely on the results of service auditor's tests of operating effectiveness.

There is currently no specific list of authorized SAS 70 service audit providers.  However, a good place to start is a nationally recognized public accounting firm.  When a service organization selects an audit firm to perform their SAS 70 audit, the service organization should consider the following:

• Experience in performing SAS 70 audits (i.e., service auditor's examinations)
• Relevant industry experience (e.g., financial services, technology, telecommunications, health care, etc.)
• Skilled audit professionals that understand the businessa and information technology (IT) controls and processes
• Availability of resources (i.e., bandwidth to deliver the services on time)
• Project management skills