Summary
Developed by the American Institute of CPAs (AICPA), the Statements on Auditing Standards 70 (SAS 70) has been around since 1992. When the Sarbanes-Oxley Act (SOX) of 2002 passed, SAS 70 gained new urgency because auditors used it to assert the suitability of financial controls for a third-party service. Until recently, SAS 70 was the Swiss Army Knife for certifying not just financial controls but all things related to compliance, including information security certification. The AICPA didn't design SAS 70 for these additional purposes, and auditors used SAS 70 inappropriately in many cases. When used for information security certification, CISOs routinely derided SAS 70 as "proving nothing." In response to this and other issues, the AICPA introduced new audit standards this year to replace SAS 70. This report provides insight to CISOs on these new audit standards and their effectiveness in auditing service providers for information security compliance.
- Stay ahead of changing market and customer dynamics with the latest insights.
- Partner with expert analysts to make progress on your top initiatives.
- Get answers from trusted research using Izola, Forrester's genAI tool.