SAS 70 is part of the AU Section 324 Codification of Auditing Standards, which is used to report on controls placed in operation and the testing of the operating effectiveness of those controls. Put simply, it’s a widely used compliance audit for assessing the internal control framework on service organizations that provide critical outsourcing activities for other entities. Introduced in 1992, SAS 70 audits were used in the early and mid-1990s. They still are used for very traditional standards, such as evaluating a service organization’s services if those services are part of the user organization’s information system:
For example, if the ABC company used the XYZ company, which is a service organization, to perform and conduct transactions and procedures that are considered significant to the ABC company’s “information system” or business environment, then the XYZ service organization would need to be SAS 70 compliant.
Think of it as an audit that examines and tests the characteristics of internal controls for service organizations. Service organizations are the entities that undergo the SAS 70 audit. Who requires the audit to be done and why? Generally speaking, compliance legislation in recent years has revolved around corporate governance and the ability to have a strong mechanism of internal controls within organizations. Laws such as The Sarbanes-Oxley Act of 2002 (SOX), the Health Insurance Accountability and Portability Act (HIPAA), and the Gramm-Leach-Bliley Act (GLBA), have emphasized themes such as governance, privacy, security, confidentiality, and segregation of duties.
Source of Information : Implementing and Developing Cloud Computing Applications 2011