Statement on Auditing Standards 70 audit process

A Statement on Auditing Standards (SAS) 70 audit process is often used as part of financial audits.18 An SAS 70 report is issued by an independent auditor for a service provider that processes financial data on behalf of others; it discusses the effectiveness of the service provider’s internal controls over the processing of transactions that may be relevant to the financial reporting of customers.

Management of the customer organization and its auditor may use this report to assess the internal control policies and procedures at the service provider as part of the overall evaluation of the internal control at the customer organization. Some cloud computing service providers have obtained an SAS 70 audit for use and review by its customers. In discussing the use of SAS 70 reports to meet information security requirements, OMB Memorandum M-09-2919 states that it is the agency’s responsibility to ensure that:


 * the scope of the SAS 70 audit is sufficient and fully addresses the specific contractor system requiring FISMA review, and
 * the audit encompasses all controls and requirements of law, OMB policy, and NIST guidance.

There are attestation standards, similar to those in SAS 70, that could be used to provide an assessment of controls at a service provider that relates to the effective implementation of security and compliance with specified requirements of laws and guidance. However, the scope of an audit based on a standard such as SAS 70 is defined by the service provider and could exclude key controls essential to effectively protecting agency information. Therefore, if an attestation report on security effectiveness and compliance with laws and guidance is used, it is critical that the scope of the controls addressed by the attestation report is sufficient to meet agency requirements.