Composition of a SAS 70 Audit Report
 

Section 1 – Independent Service Auditor’s Report – A-lign™ provides an opinion for the services within the scope of the review regarding the following:
 

Section 2 – Description of Controls – The description of controls is generally prepared by the service organization however, A-lign™ can assist in the preparation of the description. The description should provide user auditors or customers with the information about the service organization’s controls that may be relevant to a user organization’s internal control environment. The description should include the following information:
 

Opinion

 Type 1 Report  Type 2 Report
Whether the service organization’s description of its controls presents fairly, in all material respects, the relevant aspects of the service organization’s controls that had been placed in operation as of a specific date.  Included  Included
Whether the controls were suitably designed to achieve control objectives.  Included  Included
Whether the controls that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives were achieved during the period specified.  Not 
 Included		  Included

 

  • Aspects of the service organization’s internal control environment; risk assessment; information and communication systems; and monitoring that may affect the services provided to user organizations, as it relates to the an audit of financial statements
  • Control objectives and related controls
  • Changes to controls since the latter of the date of the last report or within the last 12 months.
     

Section 3 – Information Provided by the Service Auditor – A-lign™ will include the controls tested, the description of those tests that A-lign has performed, and the results of those tests.
 

Section 4 – Other Information Provided by the Service Auditor – The client may wish to present other information in this section. This is not part of the description of controls and is not covered by A-lign’s opinion. A-lign™ will read the information and provide a disclaimer of opinion on the other information provided by the client. Examples of information that clients may wish to place in this section include, management response to testing exceptions, disaster recovery plans, or client agreements.