4. How are SAS 70 audit reports generally distributed?
At the conclusion of a SAS 70 audit engagement, the service auditor will issue a Service Auditor's Report. The audit reports are then provided to the service organization for distribution to their respective user organizations (i.e. customers) and the independent auditors of the user organizations (i.e. user auditors). The user organizations are usually responsible for obtaining the audit report from the service organization and then distributing it to their auditors.
Guidelines for distributing Service Auditor's Reports should be formally communicated between the independent service auditor and the service organization. For example, an engagement letter between the independent service auditor and the service organization should discuss the restricted use of the Service Auditor's Report and expectations regarding distribution of the report.
Tips for obtaining a Service Auditor's Report: User Organizations
If you suspect that your service provider has received an independent service audit under SAS 70, you should request copies of the report for your own use and for distribution to your auditors. Hopefully, your service provider will provide you with an account executive that can assist in obtaining the audit report. Otherwise, consider contacting the following individuals/departments at your service provider:
As part of planning the financial statement
audit for an organization that uses a third party service provider, the
user auditor is required to consider the internal control environment at
the service organization. A Service Auditor's report can assist the
user auditor in gaining an understanding of the service organization's
controls. User auditors should generally request the Service Auditor's
Report from their traditional audit contacts (i.e. personnel in the accounting
or finance function) at the user organization.
If you need further information, feel
free to send an e-mail to: info@sas70.com.