Why a SAS 70 Type II audit matters Posted on October 6, 2011 by Tim Burke Since the arrival in 2002 of the Sarbanes-Oxley Act (SOX) as well as other more stringent financial accountability standards, the role of SAS 70 Type II audit and certification has grown. My company takes SAS 70 Type II audits very seriously. That’s because both SOX and SAS 70 Type II use the same model of controls — so a SAS 70 Type II certification is the best way third parties (like our customers) can be assured of acceptable, SOX-compliant service organization controls. Developed by the American Institute of Certified Public Accountants (AICPA), SAS 70 Type II audits mean an independent third-party has verified that a service organization’s policies and procedures were correctly designed and operating effectively enough to achieve the specified control objectives. During a SAS 70 Type II audit, the auditor conducts Inquiry of the service organization’s description of controls Inspection of the service organization’s description of controls Observation of the service organization’s controls Re-performance testing of the service organization’s controls Both SAS 70 Type II and SOX use a framework developed by the Treadway Commission’s Committee of Sponsoring Organizations (COSO), which contains five components the Committee believes effectively describe and analyze internal control systems as required by financial regulations. The components are: Control environment, risk assessment, control activities, information and communication, and monitoring.