SAS 70 Report Content Templates free download

Download Free SAS 70 (Statement on Auditing Standards no 70) Report Content Templates

The SAS 70 type ii report includes three required sections: the auditor’s opinion, the service organization’s description of controls, and tests of operating system effectiveness and the results of those tests. The report may also include an additional section with other information provided by the service organization (provided for informational purposes but not subject to audit).

Section I: Service Auditor’s Opinion
The following is example SAS 70 Type II audit opinion text for a scenario in which the service organization achieves the specified control objectives. The opinion would be modified to suit the circumstances of the specific audit.

Section II: Description of Controls
The service organization’s description of controls typically includes narrative descriptions of the following components:
• Overview of operations
• Description of services provided by the service organization that are covered in the report
• Control objectives and supporting control activities
• Control environment, risk assessment processes, and monitoring processes
• Information systems and communication processes
• User control considerations (i.e., controls that users of the service organization should have in place to address their responsibilities with regard to controls over the service)

Section III: Control Objectives, Related Controls, and Tests of Operating Effectiveness
This section details the service organization’s control objectives and supporting control activities that form the scope of the SAS 70 examination. This information is considered part of the service organization’s description of controls and may be explicitly included in Section II of the report or incorporated by reference. Section III also details the test procedures performed by the auditor and the results of those test procedures. The following is an example of how the testing of control-specific activities is typically presented in the SAS 70 Type II report. It is not intended to represent a complete set of control activities to meet the specified control objective.

Section IV: Additional Information Provided by the Service Organization
Other information that was not subject to audit may be included in this informational section of the report. For example, the service organization may choose to include a description of its business continuity/disaster recovery processes in this section of the report.