Can I fail a SAS 70 audit?

Yes, actually you can. When a service provider is audited, their report can be given an ‘unqualified opinion’ on whether they have policies and procedures as desired and whether they comply with them. An ‘unqualified opinion’ is essentially a ‘passing’ grade. If the service provider either cannot produce the policies and procedures as desired or they fail to demonstrate compliance with their policies and procedures, a ‘qualified opinion’ is given at the end of the report. Essentially, the report will include a ‘qualification’ for each deviation from policy/procedure. This is not exactly a failure, per se. It simply means that the report shows that the service provider is not in 100% compliance with their own desired policies and procedures. The report would have to be considered in more depth by a customer’s auditors to determine what that particular shortcoming means to that particular customer.

Essentially, even though any given service provider will determine their own policies and procedures that they need to comply with to have an unqualified SAS 70 report, it is not uncommon for a service provider to fail to enforce those policies and procedures or to find that employees are either not properly trained on procedures or not following them properly. That is why the auditing needs to be done on a recurring basis and a Type II report can be much more meaningful than a Type I report. If a service provider fails to comply with their own policies, they would need to correct whatever issue caused a qualification to be listed on the report and then repeat the audit process to have a new report generated.