As a SAS70 auditor, organizations often ask me how are control objectives developed. Technically, it is the service organization’s responsibility to develop SAS70 control objectives. However, in reality, it’s looked upon as a collaborative effort by a number of parties involved in the overall SAS70 audit process.
Here’s how it works in theory.
If you are new to the SAS70 audit process, then service organizations will generally seek guidance and assistance from a CPA firm that will ultimately be conducting the SAS70 audit. This is common because the CPA firm has years of experience in conducting SAS70 Type I or Type II audits and will thus be able to give a service organization a set of industry accepted SAS70 control objectives to use as a starting point. The service organization can them customize these if they desire, use them as they are in an off the shelf mode, or design their own control objectives. Generally, most service organizations tend to “adopt” the control objectives put forth by the CPA firm along with making slight modifications or adding some specific control objectives based on audit scope and/or certain requirements from clients and/or use organizations who are ultimately requesting the SAS70 audit.
To learn more about SAS70 audits, visit the official SAS70 resource guide where you can obtain an actual SAS70 Type II audit report for gaining a greater understanding of what a SAS70 actually is.