Many organizations are engaging third party specialists, like PRINCETON AUDIT GROUP, to perform SAS 70 audit engagements to assess the effectiveness of their organizations’ policies, processes and procedures. SAS-70 report/certification process is well recognized within the industry.

Statement on Auditing Standards No. 70 (SAS 70) was developed by the AICPA (American Institute of Certified Public Accountants) to signify that a Service Organization (Vendors) has been through an in-depth audit of their control processes by Independent Auditors. SAS 70 Certification is objective with specific emphasis on IT Controls as they relate to client services and financial reporting. This report is the authoritative guidance that allows Service Organizations/Vendors to disclose their control activities and processes to their customers and the customers' auditors in a uniform reporting format.

	Type - I Reports
	Type - II Reports
	Which Type is recommended?
	Value Additions

This type of report - outlines an organization’s control description at a specific point in time (For Example, June 1, 2005). A SAS 70 - Type I, encompasses a service auditor's report on a service organization's controls as it relates to an audit of IT Controls as applicable to financial statements or specific control objectives relevant to the service organization. A Type I report determines design effectiveness of such controls in scope and use such controls to be utilized during the Type – II reports.

Type- II report outlines an organization’s control description as well as detailed testing of the organization’s controls over a minimum of six-month period (Eg: June 1, 2005 – December 31, 2005).

A Type II SAS 70 encompasses a service auditor's report on a service organization's controls as it relates to specific control objectives relevant to the service organization. A Type II report determines whether the controls were in place, tested and operating with sufficient effectiveness to provide reasonable assurance that the related control objectives were achieved during a specified period of time, usually 6 or 12 months.

This really depends on the compliance and business objectives that your organization want to accomplish.

As mentioned above the Type- I is almost a precursor to Type-II report. Auditors and client organizations will only get their assurance from the detailed testing that is performed by the auditors during the Type- II engagement.

It is also not unusual to see some vendor organizations typically start with Type-I assessment in the Year-1 and subsequently go for both for Type-I and Type-II from that point onwards.

Based on the scope and level of detailed testing involved, Type-II reports are typically requested by clients and prove to be very beneficial to client auditors towards fulfilling client’s SOX 404 audit requirements.

Given the depth of details involved, and the independent nature of the audit, these reports provide greater assurance to clients and their audit teams.

SAS 70 reports (unqualified) are the best way for the Service organizations to demonstrate solid business, fiancé and IT practices with appropriate checks and balances are appropriately implanted and attested by Independent Auditors.

With increased risks pertaining to Outsourcing, now many of the large clients in the US are making a SAS 70 Type II report as a mandatory requirement either for procuring a new IT / BPO vendor or to renew the existing contracts.

More than as a compliance obligation, now service organizations (IT / BPO Vendors) are utilizing organization’s successful status of SAS 70, as competitive edge and showcasing such status as a distinctive advantage over other vendors.