7.  What if my service provider does not have a SAS 70 audit performed?

Many SAS 70 audit engagements result from user organizations making repeated requests of the service organization in order to gain an understanding of the internal control environment at the service organization.

If a service organization does not have a SAS 70 audit performed, that service organization should be prepared to entertain audit requests from their customers.  In some cases where the service organization has a small number of customers, accomodating individual audit requests may be practical.  However, if the service organization has multiple user organizations, accomodating individual audit requests can put a strain on the service organization's resources and become cost prohibitive.

If a service provider does not have a SAS 70 audit performed, the user organization should consider requesting permission for their auditors to contact and visit the service organization in order to obtain the necessary information for the user auditor to plan their financial statement audit.

If you need further information, feel free to send an e-mail to: info@sas70.com.