In simple terms, it is our best bet in looking inside of the operations of a cloud vendor to understand their internal controls. SAS70 is an auditing statement that meets minimum standards set forth by the Auditing Standards Board as designated by the American Institute of Certified Public Accountants (AICPA).
When we look at SAS70 reports, the first thing we will hear is type I and type II reports. The type II reports must make certain disclosures regarding the tests of operating effectiveness for a specified time period.
With a SAS70 report, we are looking for five elements:
- Control Environment
- Risk Assessment
- Control Activities
Other elements that you may find in a SAS70 report are:
- User Control Considerations
- Information Provided by the Service Auditor
- Tests of Operating Effectiveness and Results of Testing provided by the Service Auditor (Type II Reports)
- Additional Information Provided by the Service Organization
- Exceptions Noted During Testing and Management's Responses to those Exceptions