What Is a SAS 70 Report & What Replaced It?

SAS 70 reports served as a foundational standard in the auditing landscape for service organizations. These reports provided transparency into the internal controls of entities that processed transactions or maintained data for other businesses. Understanding SAS 70 and its evolution is important for comprehending how assurance is provided regarding controls at third-party service providers.

Defining SAS 70 Reports

SAS 70, or Statement on Auditing Standards No. 70, was an auditing standard developed by the American Institute of Certified Public Accountants (AICPA). It provided guidance for auditors reporting on service organization controls. The primary purpose of a SAS 70 report was to offer user organizations (clients of service providers) assurance about the internal controls at those service providers.

User organizations often relied on service organizations for functions impacting their financial reporting, such as payroll processing or data hosting. Since the service organization’s controls directly affected the user organization’s financial statements, an independent assessment was necessary. SAS 70 addressed this need by providing a uniform framework for evaluating these controls.

A SAS 70 report covered internal controls relevant to a user entity’s financial reporting. Key parties in a SAS 70 audit included the service organization, the user organization, and an independent Certified Public Accountant (CPA) firm (the service auditor). This audit allowed the service organization to provide clients with third-party verification of its control environment.

The report included a detailed description of the service organization’s controls, an assertion from management regarding its fairness, and the independent service auditor’s opinion. The auditor’s opinion addressed whether the controls were suitably designed and, in some cases, operating effectively.

Distinguishing Type 1 and Type 2 Reports

SAS 70 reports were issued in two types, each offering a different level of assurance regarding service organization controls. This distinction helped user organizations and their auditors understand the assessment’s scope.

A SAS 70 Type 1 report focused on the fairness of management’s description of the service organization’s system and the suitability of control design. This assessment was performed as of a specific date. The emphasis for a Type 1 report was solely on control design, not on their operational effectiveness over time. User organizations often used Type 1 reports for initial assessments or when a snapshot of control design was sufficient.

In contrast, a SAS 70 Type 2 report provided more comprehensive assurance. This report included the same elements as a Type 1 report, such as management’s description and control design suitability. However, a Type 2 report also included testing of control operating effectiveness for a specified period, typically six to twelve months. This meant the service auditor evaluated both control design and whether they functioned as intended over time.

The primary difference was that Type 2 reports included testing of operating effectiveness over a period. Type 2 reports were preferred by user organizations and their auditors, offering stronger assurance regarding consistent control application and effectiveness. The period covered by a Type 2 report allowed user auditors to rely on it for their financial statement audits, reducing the need for extensive on-site testing.

The Transition from SAS 70 to SOC Reports

SAS 70 is no longer the active standard for reporting on service organization controls. It was superseded by the Service Organization Control (SOC) reporting framework, effective for reports issued on or after June 15, 2011. This change marked an evolution in how service organization controls are assessed and reported.

The AICPA initiated this transition to provide clearer guidance for auditors and to align with international auditing standards. The goal was also to address the evolving needs of various stakeholders beyond financial reporting controls. The new framework aimed to clarify the scope and purpose of different report types and prevent misinterpretation of SAS 70.

The new SOC framework introduced a suite of reports for different user needs. The SOC 1 Report emerged as the direct successor to SAS 70, focusing on internal controls over financial reporting (ICFR). Like its predecessor, SOC 1 reports come in Type 1 and Type 2, mirroring the assessment of control design and operating effectiveness under SSAE 18.

Beyond financial reporting, the SOC framework expanded to include SOC 2 Reports. These address controls related to security, availability, processing integrity, confidentiality, and privacy based on the AICPA’s Trust Services Criteria. SOC 2 reports are also available in Type 1 and Type 2, providing similar distinctions in assurance levels. SOC 3 Reports were introduced as general-use reports, summarizing a SOC 2 assessment without detailed controls or tests, often used for public consumption.

This shift provided more specific reporting options, allowing organizations to obtain the precise assurance needed for their unique situations. The updated standards clarified which reports were appropriate for different aspects of control assurance, from financial controls to data security and privacy. The evolution from SAS 70 to the SOC framework streamlined reporting and enhanced the relevance of these assurance reports.