Statement On Auditing Standards No. 70: Service Organizations - Changing Uses of The SAS 70

Changing Uses of The SAS 70

Over the last few years, the use of the SAS 70 audit has migrated to be used in non-traditional ways. Companies in the financial services industry are being required to show adequate oversight of service providers, such as obtaining a SAS 70 review conducted to comply with Gramm-Leach-Bliley Act (GLBA) requirements. Service organizations which provide services to healthcare companies are often asked by their clients to have a SAS 70 audit conducted to ensure an independent third party has examined the controls over the processing of sensitive healthcare information.

While some companies utilize the SAS 70 audit to promote themselves in the "Other Information Provided by Service Organization" section, the more appropriate application is to utilize properly modified objectives from internal control framework(s) appropriate to their industry and company; such as COSO, COBIT for SOX, ISO, ITIL, BITS, or the AICPA's Trust Principles (which are specifically applicable to SysTrust or WebTrust services).