Are there predefined controls that are required to be included in the scope of every SAS 70 audit?
There are no predefined controls that are required to be included in the scope of every SAS 70 audit. Simply stated, a SAS 70 audit is designed to provide independent third party verification of internal controls related to an outsourced service. A service organization essentially says “this is what we do for our clients, and this is how we control it”. A licensed auditing firm is engaged to provide independent third party verification as to whether such claims are true. Requiring service organizations to be audited against a list of predefined controls would be contrary to the rationale of SAS 70 audits and would force SAS 70 auditors to audit the service organizations against controls that the service organizations never claimed to have implemented, nor did they give the user organizations any reasonable expectation that such controls were in place. Furthermore, service organizations’ industries and services vary so widely that it is not possible to predefine standards for every conc
