FR | NL | EN
   About us     Contact     Glossary index     Sitemap   

   Home > SAS 70 - Outsourcing Service Audit

SAS 70 - Outsourcing Service Audit     Print

SAS 70 ensures the design effectiveness and the operational effectiveness of the internal control of a servicing organisation.

Table of contents:


Outsourcing has become a common practice for companies wishing to focus on core activities while reducing operational costs by taking advantage of the economies of scale offered by large service organisations.

Although companies can outsource non-core activities, this is not true for the related risks and responsibilities that they must monitor through their audit committee.

A circular from the Banking, Finance and Insurance Commission (CBFA) highligths these responsabilities.

Go to top


The audit committee or Board of Directors has three possibilities to obtain reasonable assurance regarding internal controls relating to outsourced processes:

  1. Have management establish controls and perform tests within their own organisation regarding the outsourced processes.

  2. Have their internal or external auditor perform certain test procedures within the service provider. This right to audit, however, must be enforced contractually.
  3. Request a SAS 70 report (or ISA 402 Type B report or equivalent) from the external service organisation.
Go to top

SAS 70

SAS 70 was developed by the American Institute of Certified Public Accountants (AICPA), and is the audit standard for the examination of the design and operational effectiveness of internal controls within service organisations.

Service organisations in Belgium are increasingly confronted with requests for SAS 70 reports, but they may also take the initiative to offer such a report, providing them a number of important advantages:

  • There is no longer a need to receive various audit firms that come to perform detailed tests on its internal controls for their clients.

  • The SAS 70 audit process requires the organisation to take a close look at its processes, not only encouraging a better internal control environment, but also to provide a better quality of service and to enhance process execution.

  • The offering of a SAS 70 report is used as a means to distinguish itself from the competition when attracting new clients.

Go to top

SAS 70 Report

A SAS 70 Report consists of 4 sections :

  1. The Independent Service Auditor Report

    Section I, is prepared by the Independent Auditor at the end of the examination, and includes its opinion based on the results of procedures.

  2. The description of the Company controls and procedures, written by the company itself

    Section II of the report is prepared by the Service Organisation, and typically includes a description of the internal controls infrastructure, a detailed description of the in-scope processes, and the control objectives and control activities.

  3. The test of the operating effectiveness, written by the Service Auditor

    Section III of the report contains the tests performed by the independent auditor and the test results by control activity.

  4. Other information provided by the company

    Section IV is optional, and contains Other Information Provided by the Service Organisation, such as information relating to disaster recovery planning and business continuity planning.

Go to top

Sources: Audit Committee Institute

QAP © 2010 | advice[at] | audit[at]
   Audit     Advisory     Training     Change     Disclaimer     Copyright