SAS 70 and its Relevance to Investment Management SAS 70, or Statement on Auditing Standards No. 70, was a widely recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA). While superseded by the SSAE 16 standard (now SOC 1), its influence on investment management and the processes surrounding it remains significant, shaping how firms demonstrate operational controls and security. In the context of investment management, SAS 70 provided a framework for evaluating the controls in place at service organizations that support investment managers. These service organizations might include custodians, fund administrators, or technology providers handling sensitive financial data. An investment manager engaging such services needed assurance that these vendors had robust processes in place to safeguard assets and information. A SAS 70 audit involved an independent auditor examining the service organization’s controls and issuing a report. This report, available in two types, helped investment managers assess the risks associated with outsourcing key functions. * **Type I report:** Described the service organization’s controls at a specific point in time. It provided a snapshot of the control environment but didn’t evaluate its operational effectiveness. * **Type II report:** Went further by evaluating the design and operating effectiveness of the controls over a specified period. This provided a greater degree of assurance to the user organization (the investment manager) regarding the consistency and reliability of the service provider’s controls. The benefits of utilizing service organizations with SAS 70 reports (and now SOC 1 reports) included: * **Due Diligence:** The report provided evidence to support the investment manager’s due diligence efforts when selecting and monitoring service providers. * **Regulatory Compliance:** Compliance with regulations like the Investment Company Act of 1940 necessitates establishing and maintaining adequate internal controls. SAS 70 reports assisted investment managers in meeting these requirements by verifying the controls at service organizations. * **Risk Mitigation:** Identifying weaknesses in service providers’ control environments allowed investment managers to proactively address potential risks related to data security, operational efficiency, and financial reporting. * **Investor Confidence:** Demonstrating a commitment to robust control environments enhanced investor confidence, showing that the investment manager was taking appropriate steps to protect assets and information. Although SAS 70 is no longer in use, the principles and practices it established continue to influence investment management operations. SOC 1 audits, its successor, serve the same fundamental purpose: to provide assurance about the controls at service organizations that affect a user organization’s internal control over financial reporting. Investment managers today still rely on SOC 1 reports to gain confidence in the operational integrity and security of their service providers, and to satisfy regulatory requirements and investor expectations. The shift from SAS 70 to SOC 1 has largely been a refinement of the framework, incorporating international auditing standards and providing a more comprehensive and consistent approach to assessing service organization controls.