How often does a SAS 70 audit need to be renewed? Does a SAS 70 audit ever expire?
A service auditor’s examination report (“SAS 70 audit report”) is generally as of a point-in-time (e.g., September 30, 20xx) and, in the case of a Type 2 audit, will cover a specified period of time (e.g., January 1, 20xx to September 30, 20xx). Most service organizations will have the SAS 70 audit conducted annually, because the user organizations and their auditors will need assurance that the service organization’s controls are operating effectively for the current fiscal year of the user organization. There is no “SAS 70 renewal” from the standpoint of the service organization simply paying a fee to extend the results of their original SAS 70 audit. The service auditor must conduct a full and complete audit each year and report on the results. The description of controls in the service auditor’s report may look the same from year-to-year, but the service auditor’s procedures and/or tests will be new every year. The PCAOB has elected not to establish any “bright lines” around when a
