We are SAS 70 Compliant

ClearPointe successfully completed the Statement on Auditing Standards (SAS) No. 70 in conformity with the controls and objectives of an independent auditor. ClearPointe's review was conducted by independent audit agency, Schramm and Company. For more information, see our Independent Auditor's Report.

 

ClearPointe’s managed services and 24/7 proprietary NOC are certified reliable and secure so customers can rest assured that their data is safe. ClearPointe is the national center of excellence for practical deployment of advanced Microsoft technologies and SAS 70 compliance is another validation.

 

SAS 70 is a widely recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA). A service auditor’s examination performed in accordance with SAS No. 70 (“SAS 70 Audit”) is widely recognized, because it represents that a service organization has been through an in-depth audit of their control objectives and control activities, which includes controls over information technology and related processes. In today’s global economy, service organizations or service providers must demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers. In addition, the requirements of Section 404 of the Sarbanes-Oxley Act of 2002 make SAS 70 reports even more important to the process of reporting on the effectiveness of internal control over financial reporting.

 

FAQs

 

What is SAS 70?

According to Wikipedia, Statement on Auditing Standards No. 70: Service Organizations, commonly abbreviated as SAS 70 is an auditing statement issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA), officially titled “Reports on the Processing of Transactions by Service Organizations”. SAS 70 defines the professional standards used by a service auditor to assess the internal controls of a service organization and issue a service auditor’s report. Service organizations are typically entities that provide outsourcing services that impact the control environment of their customers. Examples of service organizations are insurance and medical claims processors, trust companies, hosted data centers, application service providers (ASPs), managed security providers, credit processing organizations and clearinghouses.

 

Who develops the standards?

American Institute of Certified Public Accountants (AICPA)

 

Who can perform the audit?

A certified public accounting firm with the appropriate skill set.

 

Why is SAS 70 important?

This achievement demonstrates a commitment to rigorous controls to deliver a fully secure, reliable information technology environment.

 

Is it difficult to meet the standards of SAS 70?

An independent auditor, Schramm & Company, examined the description and application of controls related to ClearPointe Technology, Inc. managed services to determine they were suitably designed to achieve the control objectives established by the American Institute of Certified Public Accountants.

 

What’s the difference between Type I and Type II SAS 70?

Type 1 SAS 70 audit checks controls that are in place as of a date in time. The opinion deals with the fairness of presentation of the controls and the design of the controls in terms of their ability to meet defined control objectives. Since these reports only provide assurance over a single day, they are of limited value to third parties.

Type 2 SAS 70 audits that controls that were in place over a period of time, which is typically a period of six months or more. The opinion deals with the fairness of presentation of the controls, the design of the controls with regard to their ability to meet defined control objectives, and the operational effectiveness of those controls over the defined period. Third parties are better able to rely on these reports because a verification is provided regarding these matters for a substantial period of time.

 

What is the final deliverable resulting from the audit?

A service auditor's report containing the audit opinion, the organization's description of controls, and a description of the auditor's tests of operating effectiveness.

 

What areas of the organization's processes are generally covered in this type of engagement?

Control environment, control activities, risk assessment processes, information and communication processes, and monitoring processes.

 

What types of controls are generally evaluated and tested in this type of engagement?

Organizational controls, application development and maintenance controls, logical security and access controls, application controls, system maintenance controls, data processing controls and business continuity controls.

 

How does a service organization "pass" or "fail" a SAS 70 audit?

At the conclusion of a SAS No. 70 service auditor's examination, the service auditor renders an opinion on the following:

  • Whether or not the service organization's description of controls is presented fairly.
  • Whether or not the service organization's controls are designed effectively.
  • Whether or not the service organization's controls are placed in operation as of a specified date.
  • Whether or not the service organization's controls are operating effectively over a specified period of time. (Type 2 only)


 

"With the help of ClearPointe, I have been successful in keeping the City up and running for the past 3 years. Approximately a year and a half ago, we migrated to a new version of Windows. The transformation went smoothly and quickly. We experienced no downtime, thanks to ClearPointe."


 

Systems Administator,
Local Government




 

   Minimize