Regulatory Compliance, Governance and Security

Sep 21 2008   4:51PM GMT

SAS70 Control Objectives | Here’s What You Need to Know



As a SAS70 auditor, organizations often ask me how are control objectives developed. Technically, it is the service organization’s responsibility to develop SAS70 control objectives. However, in reality, it’s looked upon as a collaborative effort by a number of parties involved in the overall SAS70 audit process.

Here’s how it works in theory.

If you are new to the SAS70 audit process, then service organizations will generally seek guidance and assistance from a CPA firm that will ultimately be conducting the SAS70 audit. This is common because the CPA firm has years of experience in conducting SAS70 Type I or Type II audits and will thus be able to give a service organization a set of industry accepted SAS70 control objectives to use as a starting point. The service organization can them customize these if they desire, use them as they are in an off the shelf mode, or design their own control objectives. Generally, most service organizations tend to “adopt” the control objectives put forth by the CPA firm along with making slight modifications or adding some specific control objectives based on audit scope and/or certain requirements from clients and/or use organizations who are ultimately requesting the SAS70 audit.

To learn more about SAS70 audits, visit the official SAS70 resource guide where you can obtain an actual SAS70 Type II audit report for gaining a greater understanding of what a SAS70 actually is.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: