ControlPay is an SAS 70 Type II audited organization
The Statement on Auditing Standards No. 70 (SAS 70) is an independent examination of our controls and procedures. The audit provides assurance that the descriptions we provide are fairly stated, suitably designed, and effective.

How does a SAS 70 audit work?
The service provider -ControlPay- issues documentation on all of its controls and procedures as they pertain to sensitive customer information contained on ControlPay’s hosted managed infrastructures. It is important to know that the audited party sets the scope of the audit to be performed, as well as independently creates all documentation necessary to support its claims.

Important Differences
Because there are two types of SAS 70 audits (Type I and Type II) there is confusion in the marketplace about the purpose and validity of this process. In a Type I audit, the service provider documents its controls and procedures, which are then reviewed by an auditor for adherence to generally accepted best practices.

In an Type II audit, all claims made in the document are tested for an extensive period of time -minimum six months- before the auditor renders his/her verdict. This testing of our systems is done by KPMG.

ControlPay’s SAS 70 audit
The scope for its SAS 70 Type II audit of ControlPay included on-boarding of new hires, disaster recovery and business continuity planning, IT and physical security, data backup and recovery procedures, provisioning of services, asset tracking and inventory management, separation of client infrastructures, decommissioning of servers and services and other business practices.

The SAS 70 Type II report is available under NDA to current customers.