One of the most effective ways a service organization can communicate information about its controls is through a Service Auditor’s Report.
SAS 70 has the following report types
In a Type I report, the service auditor will express an opinion on control implemented for specific date
In a Type II report, the service auditor will express an during on control implemented for a period, usually six month.
SAS 70, controls are self-defined by service organization and do not have cloud service provider in mind.
The SSAE 16 AICPA standard (Now SSAE 18), put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) has effectively replaced the long-standing SAS 70, which was issued in April, 1992.
Service Organization Control (SOC) Reports (as in SSAE 18), effectively known as either SOC 1, SOC 2, and SOC 3 Reports, is a comprehensive framework put forth by AICPA geared towards reporting on controls at service organizations. Unlike SAS 70, the SOC framework is a specific set of reporting initiatives aimed at helping to clarify, distill, and bring about much needed transparency for reporting on controls at service organizations.