There could be all kinds of reasons you need to understand SAS 70 compliance years after it was retired. The following will quickly bring you up to speed so you’re able to do so right away.
Table of Contents
What Is SAS 70?
SAS 70 refers to Statement on Auditing Standards No. 70: Service Organizations. The American Institute of Certified Public Accountants (AICPA) developed it as an authoritative auditing standard. It remained in effect until 2011, when the SSAE (Statement on Standards for Attestation Engagements) No. 16 replaced it as the authoritative standard to be followed by all auditing service organizations. AICPA also unveiled the Service Organization Controls (SOC) that year, which was a reporting framework that allowed practitioners to offer different kinds of reports depending on the requirements of service organizations as well as their stakeholders.
The History of SAS 70
SAS 70 came about back in 1992. At that time, outsourcing was still a fairly new practice and most companies still kept their IT processes onsite. Even though just a few tasks were every being outsourced back then, it didn’t take long for concerns to rise about precisely how third-party service providers were carrying them out.
The big question became: how are organizations’ annual financial statements affected by these services?
With SAS 70, the main goal was to help external auditors create assessments of their customers’ financial statements when those clients were using third-party servicers for the processing of financial transactions and/or various types of reporting.
The standard made auditing requirements simple and allowed these auditors to review and test third-party organizations’ controls much quicker.
The Evolution of SAS 70
As you probably predicted, SAS 70 didn’t remain in its initial form for long. Eventually, outsourcing became extremely common and organizations using third-party service providers became widespread. This included relying on these parties for things like order fulfillment, manufacturing and even payroll.
The onset of new technologies like SaaS (Software as a Service) and the cloud, along with the aforementioned spread of outsourcing, meant that SAS 70 had to be adapted in order for it to remain relevant, much less useful.
Enhanced standards and frameworks of governance like the NIST 800 series and ISO 27000 have since been developed to help organizations with developing assurance and security requirements.
SAS 70 in the Current Day
The SAS 70 report remained acceptable for a successful audit until June of 2015. However, it has since been officially phased out. In reality, most auditors moved on long before that point.
That being said, if you’re going through your company’s financial history – or that of a client – it’s important to understand compliance issues. The big thing would be to check to make sure that both the service’s customers and auditors had the same access to information regarding the controls being used.
Secondly, the SAS 70 must have been carried out by a third party or it was not acceptable. This third party needed to include both a risk and audit professional who were experienced with information security and auditing.
Third, this report had to list the control objectives and activities of the service organization with confirmation that they were carried out and to what degree of success. This was one of the biggest benefits of this old standard because it provided official validation for these service companies. As a result, these third parties were able to build trust in their markets and attract more customers.
While it’s not in use anymore, the SAS 70 was a very important standard that did a lot for companies from a number of different industries. It was also mercifully straightforward, which means if you need to reference these reports for some reason, you shouldn’t have too much trouble understanding their compliance requirements.