cpa

Sample SAS 70 Type II Audit Report | Learn about SAS 70 Audits

Obtaining a Sample SAS 70 Type II Audit Report is simply the best way for service organizations to learn about Statement on Auditing Standards No. 70. This can be a highly complex audit process, with much of it open to an auditor’s and service organization’s overall interpretation of man key points in the audit process.

Service organizations of all shapes and size today (data center, co-locations, software as a service, third party administrators, medical claims processors, etc.) are all being called upon to become SAS 70 Type II compliant. The regulatory drumbeat is beating louder every year and SAS 70 audits are here to stay.

A sample SAS 70 Type II audit report will give service organizations a fresh and unique perspective on exactly what the finished product of a SAS 70 Type II audit looks like. Look at it as a way to truly understand the end product and what the CPA firm conducting the audit will be furnishing you with.

Please keep in mind because of the looseness and the flexibility of the SAS 70 auditing standard, not every report will be identical in. However, there are, without question, common themes and subject matter that every quality report will include. The report can be downloaded via pdf

SAS 70 Audits and PCI DSS Compliance | A Two for One Audit? Not Quite

As an accountant and a PCI Qualified Security Assessor (QSA), i’m seeing more and more auditors essentially provide audit and fieldwork services for both a SAS 70 and a PCI DSS assessment at the same time, then issue a PCI DSS Report on Compliance (ROC) and a SAS 70 Type II Service Auditor’s Report. While I am all for audit efficiencies, there does need to be some degree of engagement independence, both in an administrative manner (different engagement letters, etc.) and in terms of audit expertise (both CPA’s and QSA’s need to be involved in their respective assignments and committed to the work at hand).

Furthermore, SAS 70 audits will also examine areas not covered by PCI DSS assessments, and the same is true for PCI DSS assessments covering technical areas traditionally not under the scope of a SAS 70 audit. As professionals, we need to be careful in not blurring the lines and distinctions between CPA’s and QSA’s and still try to maintain professional indepedence in regards to the work that each does and what they are qualified to do.

To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide.
To learn more about PCI DSS assessments, visit pciassessment.org