Guide to Understanding
SAS 70 Reports
Authors: Norm Parkerson, Business Advisory
Services Executive Director and Brett Williams,
Business Advisory Services Partner
In today’s global economy, service
organizations or service providers must
demonstrate that they have adequate
controls and safeguards when they
host or process data belonging to
their customers (user organizations).
One of the most effective ways a
service organization can communicate
information about its controls is through
a Service Auditor’s Report prepared in
accordance with Statement on Auditing
Standards No. 70 issued by the Auditing
Standards Board of the American
Institute of Certified Public Accountants
(AICPA). This article is a guide to
reviewing and analyzing SAS 70 reports.
When it comes to understanding
Statement on Auditing Standards No.
70 reports, more commonly known as
SAS 70s, the age-old maxim, ‘there are no
dumb questions except those not asked’
has never been more applicable. But
finding the right balance between asking
too many questions and not enough
can be a challenge. Either we ask too
many uninformed questions and subject
ourselves to being taken advantage of
or we do not ask enough questions and
run head first into the proverbial brick
wall, standing up rubbing our heads
and saying, “I meant to do that.” By
This article first appeared in College & University Auditor,
Summer 2009
obtaining a basic level of understanding in a SAS 70 becomes a requirement in
on how to read a SAS 70, you can place order to understand its implications
yourself in a situation where you ask to your control environment. By
smart questions and can ultimately not presenting the facts in layman’s
achieve greater insight into your service terms, the non-audit readers are
provider’s business. often left wondering how to gain this
SAS 70s, by design, are a means of understanding. Take the time to learn
auditor-to-auditor communication. A how to read a SAS 70 report and you will
service organization’s auditor generates gain more knowledge and develop an
a report on the organization’s internal insight into your service organization’s
controls so that their customers and business that cannot be achieved
their customer’s financial auditors can by depending on your auditor for
understand the control environment at interpretation.
the service organization. Regardless of
how the reports are used, the ultimate Trends impacting use of SAS 70 reports
burden of assessing your service
• Increasing amount of outsourced activities
organization’s internal controls lies • Growth of outsourced service providers including:
with you. – Payroll functions
With this in mind, the ability to – Data centers
– Accounting functions
identify the rudimentary truths and
– Third-party retirement plan administrators
effectively use the information contained – Third-party health care administrators
• Sarbanes-Oxley Act of 2002 requires reporting
on the effectiveness of internal controls, including
those relating to outsourced activities
Key definitions
• Service Organization: Company providing outsourced service
• Sub-service Organization: Company providing service to your service organization
• Service Auditor: Auditor performing SAS 70 review of the service organization
• User Organization: Organization receiving the outsourced service
• User Auditors: External auditors of the client organization receiving the outsourced service
Guide to Understanding SAS 70 Reports
SAS 70 report basics
SAS 70 reports come in two forms,
Type I and Type II. The objectives of a
Type I report are to provide reasonable
assurance that:
1. A set of controls has been placed
in operation as of a specified point
in time
2. The description of those controls is
fairly represented by management
3. The controls are suitably designed
to achieve the control objectives
specified by management
The objectives of a Type II report are
to provide reasonable assurance that
1. All of the objectives specified of a
Type I report are met (see previous
paragraph) and
2. Tests applied to specific controls
identified by management
demonstrate operating effectiveness
of the controls for a specified period
of time
SAS 70 reports are comprised
of four sections:
I. The independent service auditor’s
report or the ‘opinion’ section.
II. Information provided by the service
organization, typically a description
of the overall control environment
and the internal controls and control
objectives related to the process being
reviewed.
III. Information provided by the service
auditor, typically includes control
objectives, control activities, tests
performed and in the case of a Type
II report results of tests.
IV. Supplemental material provided
by the service organization.
I. Independent Service Auditor’s
Report (Opinion Section)
The opinion section of the SAS 70
provides legitimacy to the SAS 70
report. This section describes the scope
of the review and articulates the service
auditor’s opinion on the results of the
review. This section provides a lot of
information in a small amount of space.
The first thing you need to determine
is whether or not the SAS 70 report
addresses the service organization’s
activities that are relevant to your
organization. Typically, the first sentence
of the opinion is going to explain, at a
high level, the scope of the review. Pay
particular attention to whether the report
excludes certain locations, products and/
or services that might be of importance to
your business.
Secondly, readers of the SAS 70
report may not notice that the opinion
may or may not apply to the service
organization’s own third party service
providers (referred to as sub-service
organizations). For example, a service
provider may outsource its datacenter to
a sub-service organization. Many times
the scope of the report will not include a
review of the control environment at the
sub-service organizations. The opinion
section will describe whether or not the
controls at sub-service organizations are
included or excluded from the review.
If sub-service organizations are
excluded from the review, you need
to assess the risks posed to your
organization related to the services
provided by these sub-service
organizations. If you deem one or
more of these sub-service organizations
important to your organization, you
need to determine how you are going
to gain comfort with the applicable
control environments. You may be able
to obtain a separate SAS 70 report from
the sub-service organization. If not, you
might consider conducting your own
review of the controls in place at the sub-
service organization. Additionally, your
external auditor may have to conduct an
independent review of the controls in
place at the sub-service organizations.
Key difference: Type I vs. Type II
• Type I report does NOT include testing or an
opinion related to the operating effectiveness
of controls over a specified period of time.
You should also consider influencing
your service organization to expand the
scope of their SAS 70 to include the sub-
service organizations in future reports.
Thirdly, you need to determine
whether the SAS 70 report is a Type I
or a Type II report. Both Type I and
Type II reports include two common
components (opinions) and the Type II
report includes an additional opinion.
The common opinion components of the
Type I and Type II reports are statements
similar to these:
1. “The accompanying description of
controls of the Company presents
fairly the Company’s controls that
had been placed in operation as of a
point in time (i.e., March 31, 2007).”
This statement confirms that
the service auditor has reviewed
management’s description of controls
and believes that the controls are fairly
described. Additionally, the service
auditor is confirming that the controls
were in place as of the specified date.
If the report is a Type II report, this
description section will describe the
control environment as of the last
day of the report period.
2
Guide to Understanding SAS 70 Reports
Key questions to ask yourself
• Scope: Does the report address the service organization’s activities relevant to your organization?
• Sub-service organizations: Does the report include or exclude the control environment at important a minimum of six months in order for the service
sub-service organizations? auditor to opine on operating effectiveness.
• Type I vs. Type II: Is the report a Type I or Type II report?
• Period: Does the period reviewed satisfy the requirements of your organization and your external auditor?
As such, if the service organization made
changes to controls throughout the audit
period, the new/revised controls may
show up as exceptions in a Type II report
since the controls may not have been
operating throughout the period.
2. “Controls are suitably designed to
provide reasonable assurance that the
specified Control Objectives would
be achieved if the described controls
were complied with satisfactorily and
the user organizations applied the
controls contemplated in the design
of the Company’s controls.”
This statement addresses what is
referred to as “suitability of design”
or “design effectiveness.” The service
auditor has concluded that the service
organization has the appropriate controls
in place in order to achieve the Control
Objectives included in the report.
Because the Control Objectives are
defined by management, as a reader,
you will need to make sure that the
Report contains appropriate control
objectives to prevent, detect, and/
or mitigate the risks applicable to
your organization. Also, note that
this opinion assumes that the “user
organizations applied the controls
contemplated in the design of the
Company’s controls”. This statement
assumes that the user organization has
certain controls in place and that if your
company does not have these controls
in place, the Control Objective may not
be properly designed and/or operating
effectively. See the User Control
Consideration Section for further
discussion.
The third opinion is applicable only
to Type II reports and may be stated in
language similar to this: “the controls that
were tested were operating with sufficient
effectiveness to provide reasonable
assurance that the related control
objectives specified were achieved during
the period from ‘month, day, year’ to
‘month, day, year.’”
3. If the above statement (3.) is absent
from the report, you are reading a
Type I report and its value to your
organization is rather limited as it
does not offer any assurance that the
controls were operating effectively
over a specified period of time.
The Auditor’s Report may list
exceptions to the opinion for errors and/
or omissions that were identified during
the Auditor’s review and testing. Note
that just because a Company has an
exception does not mean that the report
cannot be used by your organization.
Exceptions in the opinion section are
indicative of issues large enough to
prohibit control objectives from being
achieved. These exceptions are important
enough that the Auditor believes that it
rises to a level that the control objective
is not designed effectively (applicable
to Type I and Type II reports) or
the control objective is not operating
effectively (applicable only to Type II
reports).
Section III (Information Provided by
the Service Auditor) of the report will
disclose all material exceptions to specific
control activities some of which do not
result in the failure to achieve a specific
Key points related to the opinion
• Generally, controls must be in place for
• Scope is defined by the service organization
not the service auditor.
• Control Objectives and related controls are
defined by the service organization and not
the service auditor.
• Generally, only exceptions that result in the
failure to achieve a control objective are
disclosed in the opinion section of the report.
control objective. Such exceptions are
not included in Section I (the opinion
section) of the report. However, if you
are using the SAS 70 to determine if
specific controls are in place at the service
organization, it will be more important to
look at Section III which details testing
of controls and the related results. So
again, you must understand what risks
you need to address in order to properly
evaluate the content of the SAS 70 as it
applies to your organization.
II. Information Provided by the Service
Organization (Management)
The opinion section of the independent
service auditor report cannot be
distributed without management’s
description of the service organization’s
controls and in the case of a Type II
report, details from the service auditor’s
test of operating effectiveness of the
controls. The section immediately
following the independent auditor’s
opinion is typically information provided
by the service organization.
In this section, the service
organization can document a broad
range of items, but at a minimum
should include the description of the
organizations internal controls related to
the processes covered by the SAS 70. It
should be noted that the information in
this section is not necessarily in the scope
of the SAS 70 report or tested by the
service auditor. The reader must reference
3
Guide to Understanding SAS 70 Reports
the information provided by the service
auditor (see Section III of a SAS 70
Report) to determine which controls
were in scope for the SAS 70 report.
The information provided by the
service organization should primarily be
used to describe the control objectives
and corresponding controls. Control
objectives are chosen by the service
organization. The objectives should
be chosen rationally and reflect the
contracted obligations the service
organization has to its clients. There
should also be sufficient information
provided so that the user organization
can understand how the service
organization’s processing can be used to
achieve compliance, financial reporting,
and operational objectives.
The section should also provide
a description of the Information
Technology (IT) environment including
which systems are in use and the
related IT general computer controls
(ITGC) and objectives. ITGCs should
include controls related to logical and
physical access, program change control,
operations and applicable application
controls. Plans, such as disaster recovery
and business continuity are not included
because a plan cannot be a control. If a
service organization chooses to include
this type of information, it would be
found in section IV of the report under
supplemental material provided by the
service organization.
An important component of this
section is referred to as User Control
Considerations. This section of the
report is straightforward but should not
be overlooked. This section describes
Key points related to information provided by management
• Information in Section II is provided by management, not the service auditor.
• Management’s description of controls may include control activities that are “out of scope” and not tested user organization (your organization).
by the service auditor.
• Control Objectives and related controls are defined by the service organization and not the service auditor.
• Generally, only exceptions that result in the failure to achieve a control objective are disclosed in the opinion
section of the report.
control activities that the service
organization expects to be in place at the
user organizations (your organization).
These controls can be critical to the
service auditor’s opinion that the controls
are suitably designed to achieve the stated
control objectives. However, the service
auditor does not perform test procedures
to determine operating effectiveness of
these controls.
The user organization is responsible
for ensuring that the stated controls are in
place and operating effectively. You need
to evaluate whether or not the stated user
controls apply to your organization and
determine whether or not the controls are
in place and operating effectively.
As an example assume that a service
organization administers application
security access for your organization.
The service organization may include
the following control activity as a “user
control consideration” –
“The user organization will review
logical security access no less than
semi-annually and notify the service
organization of any additions, deletions,
and / or changes to security access that
need to be made.”
This user control consideration is
stating that it is your responsibility to
ensure that you conduct the semi-annual
review as stated. It is your responsibility
to obtain from the service organization
the necessary information to conduct
the stated review. Ideally, you would
also have a mechanism (control) in place
to ensure that the requested changes
resulting from such reviews were in fact
executed by the service organization.
III. Information Provided by the Service
Auditor (Control Objectives, Control
Activities, and Tests Performed)
Typically, control objectives (specified
by the service organization – not the
auditor), descriptions of control activities
(specified by the service organization
– not the auditor), descriptions of test
procedures (performed by the auditor),
and results of tests (performed by the
auditor) are presented in a tabular format.
Before you even begin to read this
section, formulate your own list of
control objectives and control activities
that you think are critical to your control
environment. Then you can map the
control objectives and related controls
specified in the report to your list of
control objectives / control activities and
perform a “gap analysis.”
Perhaps the controls are in place
but the service organization chose to
exclude them from the SAS 70 review.
Control objectives and related control
activities may be excluded by the service
organization for many reasons including:
• Control objective and related controls
may not be in operation.
• Control activities may not be
operating effectively.
• Control objective and related controls
may be specific to only one (or a
few) of the service organization’s
clients (customers) and the service
organization wants the SAS 70 to
apply to the majority of its clients
(customers).
• Control objective and related controls
may not be operating at the service
organization because the related
activities are outsourced to a sub-
service organization.
• Control objective and related controls
may be totally dependent upon the
• Control objective and related controls
may be too costly to include.
4
Guide to Understanding SAS 70 Reports

The key point here is that the scope
of the SAS 70 (identification of control
objectives and control activities) is
defined by the service organization not
the independent auditor. The service
organization may exclude control
objectives and related controls at their
discretion without reason or explanation.
You want to be sure that the control
objectives and control activities that
address risks that are important to your
organization are adequately addressed
by the SAS 70. If not, you should
consider visiting the service organization
to conduct your own evaluation of the
gaps in the control environment that
you identified in the aforementioned
initiative. An alternative to performing
the work yourself would be to engage a
public accounting firm to conduct what
is commonly referred to as “agreed upon
procedures” at the service organization in
an attempt to “close the gaps.”
Once you have performed the above
“gap analysis,” read and evaluate this
section of the report. Just as you may
have identified some missing control
objectives and or control activities in the
report you may identify some controls
that do not apply to your organization.
Key points related to user control considerations
However, we would suggest that you do
not ignore those items as the controls and
test results could give you some insight
into the overall control environment of
the service organization.
Read the control objectives and
control activities with some degree
of skepticism. Just because a control
objective was achieved and no exceptions
were noted by the independent auditor
does not mean that you should be
satisfied with the related control
environment. You need to be sure
that the control objective and control
activities are clearly articulated to satisfy
your expectations. Control objectives
and related controls may be written so
narrowly that your expected control is
not really addressed in the SAS 70 report.
For example: You may be looking
for controls to “… provide reasonable
assurance that access to applications and
databases are appropriately secured.”
A related control activity may state
“Logical access granted to employees of
the service organization is approved by
the Supervisor of Computer Operations.”
The independent auditor tested the
control and reported no exceptions.
However, note that the control
activity, as stated, only addresses access
granted to “employees of the service
organization.” What about controls
related to access granted to “non-
employees” (i.e., contractors, sub-service
organizations, temporary staff, employees
of the clients/ customers, etc.)? Also,
are you satisfied that the individual (i.e.,
Supervisor of Computer Operations)
authorized to approve logical access to
your environment is appropriate?
When reading the description of
Tests Performed by the Service Auditor,
be sure that you are comfortable with
the testing that was performed. Typical
methodologies applied to testing are –
• Inquiry
• Inspection
• Observation and / or
• Re-performance
Be sure that the applied testing
methodology is appropriate for the
stated control. Pay special attention to
tests where inquiry was the only test
procedure performed. Typically, inquiry
should not be the only method applied to
testing controls. Ideally, controls tested
via inquiry should also be tested via at
least one other method (e.g. inspection,
observation, and/or re-performance).

• The user organization (you) is responsible for ensuring these controls are in place and operating
effectively at your organization.
• The service auditor does not opine on the operating effectiveness of these controls.
• You need to be sure that the service organization provides you the necessary information under
their custody that is required for you to execute the stated controls.

Key points related to information provided by the service auditor

• No tests of controls are conducted during a Type I review to ascertain whether or not the controls were
operating over a specified period of time. The controls are only tested to obtain reasonable assurance
that they controls were in place as of the specified date.
• Control Objectives and Control Activities are specified by the service organization, not the service auditor.
• You should determine what control objectives and related control activities you expect to see in the
SAS 70 report.
• Identify “gaps” between your expectations vs. the actual SAS 70 report.
• Evaluate and discuss “gaps” with the service organization and take appropriate action to gain comfort
that the control environment at the service organization is adequate.

5
Guide to Understanding SAS 70 Reports

When reading the test results, Management is requested to respond Conclusion

you should not just read the sections to each exception noted in the SAS 70. The author, David Thoreau, points out,
where the control objective(s) were You should read management’s comment “It takes two to speak the truth – one
not achieved. An organization (service and decide if you are satisfied with their to speak and the other to hear.” By
organization) can fulfill the requirements response. Ideally, management’s response taking the time to read and understand
for and receive an “unqualified opinion” will include a remediation plan. the information provided in a SAS
(all control objectives were achieved) 70, you will have the ability to make
even though the service auditor identified IV. Supplemental Information Provided sound decisions and develop incredible
exceptions during the test of controls. So by the Service Organization insight into your service organization’s
read and evaluate each control objective This section may include additional business. Use this guide to reading a SAS
and the related controls and make information that the service organization 70 to empower yourself to finding the
your own assessment of the control wants to disclose. Items such as a Disaster answers needed to actively participate in
environment by applying your own Recovery, Business Continuity Plan protecting your company when dealing
judgment. Perhaps an exception was and Strategic Plan may be included. with outsourced service providers.
identified by the service auditor and The reader should note that the service
the service auditor’s judgment was that auditor renders no opinion on these
the control objective was still achieved. topics.
However, in your specific environment,
you may consider the control activity to
be critical to your control environment
(e.g., your organization’s risk appetite
may not be aligned with the service
auditor’s risk appetite) and you may
want to discuss the exception(s) with the
service organization and or consider the
effectiveness of any mitigating controls
that may or may not be a part of the SAS
70 report.

Content in this publication is not intended to answer specific questions or suggest suitability of action in a particular case.
For additional information on the issues discussed, consult a Grant Thornton client service partner.

www.GrantThornton.com

© Grant Thornton LLP All rights reserved U.S. member firm of Grant Thornton International Ltd