SAS 70

The examination of physical security is focused on the physical security controls that surround the facility and the computer systems used to provide the service. The auditors will look for the following items:
- Identification badges on all personnel
- Restriction of sensitive areas to authorized individuals
- Escorting of visitors
- Logging of visitors

SAS 70 Personnel Management Security Examination Audit
The auditors will examine the ways in which the organization checks up on its own personnel and employees. This is not to say that the organization should not trust its own employees but that it should take pains to determine the trustworthiness of its employees and to not put them into positions where a mistake can cause inappropriate damage to the organization or a customer.

When examining personnel management issues, the auditors will look for:
- Background checks performed during the hiring process
- Non-disclosure agreements with employees and contractors

Download Free SAS 70 (Statement on Auditing Standards no 70) Report Content Templates

The SAS 70 type ii report includes three required sections: the auditor’s opinion, the service organization’s description of controls, and tests of operating system effectiveness and the results of those tests. The report may also include an additional section with other information provided by the service organization (provided for informational purposes but not subject to audit).

Section I: Service Auditor’s Opinion
The following is example SAS 70 Type II audit opinion text for a scenario in which the service organization achieves the specified control objectives. The opinion would be modified to suit the circumstances of the specific audit.

Section II: Description of Controls
The service organization’s description of controls typically includes narrative descriptions of the following components:
• Overview of operations
• Description of services provided by the service organization that are covered in the report
• Control objectives and supporting control activities
• Control environment, risk assessment processes, and monitoring processes
• Information systems and communication processes
• User control considerations (i.e., controls that users of the service organization should have in place to address their responsibilities with regard to controls over the service)