Frequently Asked Questions (FAQ)

6.  How do I read a SAS 70 audit report?

Since Service Auditor Reports are traditionally an auditor-to-auditor communication, reading the report for the first time can be challenging.  However, by understanding the contents of the report (as documented in FAQ #5), reading the report can be a much easier task.

Independent Service Auditor's Report
The Independent Service Auditor's Report should be easy to identify in the audit report.  This is typically a one to two page letter from the independent auditors to the management of the service organization.  The language of the opinion generally follows fairly explicit guidelines as determined by the American Institute of Certified Public Accountants (AICPA).  The opinion describes the auditor's approach and the scope of the audit.  An important item to look for is the date the controls were evaluated and the date(s) the controls were placed into operation.  This is an easy way to determine if you are looking at a Type I or Type II report.  For example, if the controls were evaluated at a point in time, but you don't see a paragraph discussing the operating effectiveness of the controls over a period of time, then you are most likely looking at a Type I report.

The auditor's conclusion is generally stated towards the end of the opinion.  The following table describes the types of opinions that will be concluded on depending upon the type of the Service Auditor Report:
 

Opinion
Type I Report
Type II Report
1.  Whether the service organization's description of controls presents fairly, in all material respects, the relevant aspects of the service organization's controls, that had been placed in operation as of a specified date. Included Included
2.  Whether the controls were suitably designed to achieve the specified control objectives. Included Included
3.  Whether the controls that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives were achieved during the period specified. Not included Included

The Service Organization's Description of Controls
The service organization's description of controls is the responsibility of the service organization.  In many cases, the service auditor will assist the service organization in preparing the description.  The description of controls generally should contain the following information:

Most of the above items are presented in a narrative format with flowcharts or diagrams to illustrate the control activities.  The service organization may also provide background information on the services they provide (e.g. extent of data center locations, applications supported, etc.) and the type of processing environment they maintain.

Information Provided by the Service Auditor
This section of the Service Auditor's Report features a description of the service auditor's tests of operating effectiveness of controls and the results of those tests (this is included in a Type II report).  The following elements should be included in the description:

The above information is generally provided in a table format or matrix format for ease of reference.  The service auditor may also provide recommendations for improving the service organization's controls in this section of the report.

Other Information Provided by the Service Organization
A service organization may want to include or present other information that is not part of the description of controls (e.g. a glossary of terms).  This type of information would be included in a separate section and would not be covered by the service auditor's opinion.
 

If you need further information, feel free to send an e-mail to: info@sas70.com.

Return to the FAQ Index
Copyright 2000