A Statement on Auditing Standards (SAS) 70 audit process was often used as part of financial audits. The private sector relied on an SAS 70 report, to ensure among other purposes compliance with Section 404 of the Sarbanes-Oxley Act of 2002, requiring management assessment of internal controls.
An SAS 70 report was issued by an independent auditor for a service provider that processes financial data on behalf of others; it discussed the effectiveness of the service provider’s internal controls over the processing of transactions that may be relevant to the financial reporting of customers.
Management of the customer organization and its auditor could use the report to assess the internal control policies and procedures at the service provider as part of the overall evaluation of the internal control at the customer organization. Some cloud computing service providers obtained an SAS 70 audit for use and review by its customers. In discussing the use of SAS 70 reports to meet information security requirements, OMB Memorandum M-09-29 stated that it is the agency’s responsibility to ensure that:
- the scope of the SAS 70 audit is sufficient and fully addresses the specific contractor system requiring FISMA review, and
- the audit encompasses all controls and requirements of law, OMB policy, and NIST guidance.
There are attestation standards, similar to those in SAS 70, that could be used to provide an assessment of controls at a service provider that relates to the effective implementation of security and compliance with specified requirements of laws and guidance. However, the scope of an audit based on a standard such as SAS 70 is defined by the service provider and could exclude key controls essential to effectively protecting agency information. Therefore, if an attestation report on security effectiveness and compliance with laws and guidance is used, it is critical that the scope of the controls addressed by the attestation report is sufficient to meet agency requirements.
SAS 70 was superseded by SSAE 16, which became effective as of June 15, 2011.