A method established by the American Institute of Certified Public Accountants (AICPA) for telling an auditor how to assess and issue an official auditor’s report about a service provider’s internal controls. Standard 70 focuses on services that could impact a service user’s financial reporting, including payroll services, benefits claims processing, outsourced IT operations or data centers, and vendor management services or software. An SAS Type I audit presents a snapshot of the service provider’s controls at a moment in time, whereas a Type II audit presents those same controls in operation over a period of at least six months and is recognized by the Securities and Exchange Commission (SEC) as an acceptable way of obtaining an auditor’s opinion for Sarbanes-Oxley (SOX) Section 404. (See Also: SAS 70 Type II Audit). SAS 70 reports are issued on every continent and country leading to various audit and accounting standards being used. To address the inevitable overlap that arises from multiple similar standards, an initiative was started in 2007 by the International Auditing and Assurance Standards Board (IAASB). The goal of the IAASB initiative is to issue two new international standards for reports on controls at service organizations. One of the two standards will be for user organizations and their auditors (ISA 402), while the second standard will be for service organizations and service auditors (ISEA 3402). Both ISA 402 and ISAE 3402 are assurance reports which aim to provide insight into the controls at a third-party service organization.
Source: Staffing Industry Analysts