Mastering SAS 70 Audit Reports for Service Organizations

Evaluating Internal Controls Issues With Type I and Type II Reports

Recording of a 110-minute CPE webinar with Q&A

Conducted on Wednesday, June 16, 2010

Recorded event now available

or call 1-800-926-7926
Course Materials

This course will prepare auditing professionals to meet a service organization client's particular needs with regard to a SAS 70 report, anticipate special challenges in evaluating a service provider's internal controls and their effectiveness, and produce a high-quality SAS 70 report.


Service organizations of all sizes are increasingly asking outside auditors to provide reports on their internal controls under the AICPA's Statement on Auditing Standards No. 70, or SAS 70. SAS 70 reports boost client and lender confidence, among others, in the service provider.

While a SAS 70 report does not support a financial statement audit, accounting firms performing this work must take particular care with an annual report and the accompanying opinion letter. Both Type I examinations of controls and Type II reviews of control effectiveness present special challenges.

SAS 70 allows different approaches in describing how the service organization's processing and operational activities affect the five elements of internal control. The auditing firm needs to develop and follow a road map to produce an accurate SAS 70 evaluation that serves the client's needs.

Listen as our panel of veterans in outside audits offers insights to help you anticipate hurdles and improve the quality of your firm's SAS 70 audit reports.



  1. Key terms of AICPA Statement on Auditing Standards No. 70 (SAS 70)
    1. Promulgated in 1993
    2. Guidance to service auditors on assessing service organization’s internal controls and issuing a report
    3. Guidance to auditors of financial statements for an entity using one or more service organizations
    4. Type I service auditor’s report
      1. Opinion on fairness of internal controls, suitability of their design
    5. Type I service auditor’s report
      1. Type I info, plus effectiveness of controls during period
  2. Changing uses of SAS 70 reports
    1. Financial services companies want to show adequate oversight of service providers
    2. Service organizations use reports to show clients high-quality controls
    3. Serve marketing aims of service provider
  3. Establishing with the client the audit’s requirement
    1. General controls or specific scope?
    2. Setting testing locations and parameters
    3. Identifying internal controls and their objectives
    4. Proper length of the testing period


The panel will explore these and other relevant aspects of SAS 70 reports:

  • Taking a project plan approach to the SAS 70 audit, covering planning, field work and reporting.
  • Planning the testing of controls with the service organization, and executing the tests.
  • Understanding the limitations on the usefulness of Type I and Type II reports.
  • Helping to make the SAS 70 report more useful for all readers.


Mark Agulnik
Mark Agulnik

Senior Manager, Assurance Services

He has more than 12 years of experience and works on SAS 70 reports and assurance services (including financial...  |  Read More

Eric Wright
Eric Wright
Technology Shareholder
Schneider Downs
Steve Thompson
Steve Thompson
Schneider Downs
Powell Jones
Powell Jones
Business Advisory Services Manager
Grant Thornton

He has worked at the firm since 2004 and performed multiple SAS 70 certifications and readiness reviews focused on IT...  |  Read More

Scott Price
Scott Price
A-lign CPAs

He is an experienced SAS 70 auditor, having served on more than 700 such audits, and was president of the SAS 70...  |  Read More

Access Anytime, Anywhere

CPE credit is not available on downloads.

On-Demand Seminar Audio