What Was the SAS 70 Audit and Why Did SOC Replace It?

Statement on Auditing Standards No. 70 (SAS 70) was a historical auditing standard developed by the American Institute of Certified Public Accountants (AICPA). Its original purpose was to provide assurance about the internal controls of service organizations. These controls were relevant to how a service organization’s operations might affect the financial reporting of its clients. SAS 70 is no longer an active standard and has been replaced by a newer framework for reporting on controls at service organizations.

Understanding SAS 70’s Purpose and Scope

SAS 70 focused on a service organization’s internal controls relevant to a user entity’s internal control over financial reporting (ICFR). When a company, known as a user organization, outsourced functions like data processing or payroll, a significant portion of its internal controls could reside with the service provider. User organizations and their auditors needed these reports to understand the control environment of these outsourced services. This was especially important for their own financial statement audits, as it helped them assess the risk of material misstatement.

The reports provided independent third-party verification regarding the integrity, reliability, effectiveness, and security of the processing services offered to user organizations. Receiving a SAS 70 report allowed a user organization’s financial statement auditors to rely on the service organization’s controls instead of performing redundant, first-hand audit procedures. This standard applied to service organizations like data centers, third-party administrators, and payroll processors, which handled data or transactions impacting a client’s financial statements.

The Two Types of SAS 70 Reports

SAS 70 offered two distinct types of reports: Type 1 and Type 2. A Type 1 report described the service organization’s controls at a specific point in time. It included an assessment of the suitability of the design of these controls to achieve the stated control objectives. This report provided an understanding of the controls in place but did not offer assurance on their operational effectiveness over time.

A Type 2 report, in contrast, described the controls and assessed both the suitability of their design and their operating effectiveness over a specified period, often six months or a year. The service auditor performed tests on the controls to determine if they consistently operated as intended throughout the reporting period. This testing of operational effectiveness provided a higher level of assurance compared to a Type 1 report, indicating that the controls were not only designed appropriately but also functioned effectively over time.

The Evolution to SOC Reports

SAS 70 was superseded by the Statement on Standards for Attestation Engagements (SSAE) No. 16, which introduced the Service Organization Control (SOC) reporting framework. SSAE 16 became effective for reports covering periods ending on or after June 15, 2011, and was later updated as SSAE 18. This evolution was part of an effort to align U.S. accounting standards with international standards.

The SOC framework includes several types of reports: SOC 1, SOC 2, and SOC 3. SOC 1 reports are the direct replacement for SAS 70, specifically addressing internal controls over financial reporting. While SOC 2 and SOC 3 reports address other control areas, such as security, availability, processing integrity, confidentiality, and privacy, SOC 1 reports maintain the original focus of SAS 70.

Key Elements of a SOC 1 Report

A SOC 1 report provides information for understanding a service organization’s controls related to financial reporting. The main components include the independent service auditor’s opinion, management’s assertion, a detailed description of the service organization’s system, and the control objectives with related controls. For a Type 2 SOC 1 report, it also presents the results of the auditor’s testing of the operating effectiveness of those controls.

The service auditor’s opinion provides an independent assessment of whether the service organization’s description of its system is fairly presented and whether the controls were suitably designed and, for a Type 2 report, operated effectively. Management’s assertion is a statement by the service organization’s management confirming the accuracy of the system description and the effectiveness of the controls.

A user entity’s auditor utilizes this SOC 1 report to understand the controls implemented by the service organization and how those controls might impact the user entity’s financial statements. This enables user auditors to assess risk and determine the extent of their own audit procedures. The purpose of providing assurance over outsourced controls, which began with SAS 70, continues under the SOC 1 framework.