SAS 70 stands for Statement on Auditing Standards number 70
SAS 70 certification validates that an organization's business process controls and information technology infrastructure have been audited by a certified public accountant. This audit consists of a thorough review of all day to day business processes and the flow of sensitive data. All business systems are closely reviewed and every technical component is tested for accuracy, security, change management records and policy enforcement. The auditors typically look for a wide range of strong policy enactment and will be looking for control logs to review compliance.
There are two types of SAS 70 audits, Type I and Type II.
SAS 70 Type I
In a Type one SAS 70 audit, the auditors are performing an initial sweep of your organization, looking to identify all business processes and each step along the flow of data through your organization. This initial audit establishes a baseline of factors that you claim to uphold a certain level of compliance to.Why do we need a SAS 70 Audit
A type one SAS 70 audit is often preceded by specific requests from your clients. It is important to gather and document these requests as you receive them because one of the most important factors of a quality SAS 70 compliance report is that it addresses the needs and concerns of your clients.
A SAS 70 compliance report verifies that your organization has been audited by a certified public accounting firm. The firm verifies that the data integrity, business processes and information technology security protocols that you claim to have in place are actually functioning.
SAS 70 Type II
A SAS 70 type II audit is always preceded by a SAS 70 type I audit. With a SAS 70 Type two audit, the auditors have established the benchmarks during the type one audit, and are now looking for application of these controls over random intervals. A SAS 70 type II audit typically covers a period between 6 months to a year. The goal of a SAS 70 type II audit is to verify that your organization is in fact continuing to comply with the procedures defined in the SAS 70 type I audit. The SAS 70 type II audit also provides an opportunity to document and test new procedures and new technologies in your organization.