A Type II report will perform testing to determine that

1)      the description presents fairly the controls that have been placed in operation;

2)      the controls were suitably designed to achieve the control objectives;

3)      the controls were operating effectively

Could result in a Qualified Opinion if the description of controls and/or tests of operating effectiveness do not fairly present sufficient evidence to support the stated control objectives. 

SAS 70 Control Objectives

The scope is defined by the ASP, typically focusing on business processes that are critical to the services it provides to its clients and deemed as financially significant to the client’s operations. 

Typically will contain general computer controls plus any additional organization-specific controls that are financially significant to customers. General Computer Controls:

• Systems Development, Implementation, and Maintenance
• Systems Software Change Control
• Logical Access
• Physical Access
• Computer Operations
• Data Transmission
• Application Controls (e.g. Systems Product and Pricing process) – easily customizable 

SAS 70 Benefits

A SAS 70 with an Unqualified Opinion issued by an accredited independent accounting firm differentiates an ASP from its peers by demonstrating the establishment of effectively designed control objectives and activities. 

Competitive advantage in selling prospects and retaining existing customers 

Indicates that the ASP has tight and effective control over its operation and that the likelihood of financial loss, operational failure, or corruption of data are mitigated. 

Reduces strain on ASP and client resources by limiting the number of necessary external audits. 

Provides a means for an annual independent assessment and testing (Type II) of control activities, which could identify opportunities for improvement in many operational functions. 

Saves clients the inflated cost of paying for regular external audits of the service organization.