Dara Security

SAS70/SSAE18 and SOX404

An Overview of the Standards

Statement on Auditing Standards 70 (SAS70) was a widely recognized standard for reporting the effectiveness of a service organization's internal controls. Developed by the American Institute of Certified Public Accountants (AICPA), the SAS70 standard allowed a company to demonstrate that its controls were effective, efficient, and adequately protected any customer data.

SAS70 audits also considered elements from Section 404 of the Sarbanes-Oxley Act (SOX404). SOX404 was put into effect in 2002 after several high-profile bankruptcies were found to be caused by weak internal controls within the organizations. The requirements of SOX404 require an in-depth examination of an organization's financial reporting controls, bringing more relevance to the SAS70 audit.


SAS70 was replaced in 2011 with the Statement on Standards for Attestation Engagements 16 (SSAE18), a revision that effectively brings US companies up-to-date on international service organization reporting standards. By following SSAE18, US organizations gain the confidence of international companies and can better compete on a global level.


Who needs an SSAE18 Audit?

Companies with services that affect the control environment and/or financial statements of other companies may require an SSAE18 audit. Examples of industries requiring this audit are:  payroll processing, medical claims processing, hosted data center services, and credit processing.


Our Experience

As your independent SSAE18 auditor, our team will conduct a thorough and in-depth examination of your information technology and financial reporting controls, drawing from our extensive technical experience and adhering to the latest auditing guidelines.