SAS70 | – Cloud assurance compliance


Statement on Auditing Standards No. 70: Service Organizations

The SAS70 statement provides an auditor’s statement on the effectiveness of the internal controls of a service organization. It is gradually being replaced by ISAE3402 as of June 2011.

SAS70 leaves much room to transparency over implemented controls. The fact an organisation acquired a SAS70 attestation tells nothing about how that service organisation addressed risks. Cloud providers that have had a SAS70-audit should provide transparency over the controls and how those controls are implemented.

A copy of the SAS70 audit guide can be bought on the AICPA store website.