SAS 70 is an auditing standard to prepare a formal report on the design, implementation and operating effectiveness of the controls within a service organization (providing services to other user organizations). SSAE 16 replaces SAS 70 in the USA from 2010 and ISAE 3402 is the equivalent of SAS 70 used internationally from 2010.
SAS 70 audit might be necessary if your organization provides services to another organization (e.g. in case of outsourced business processes), and if those services have a direct or indirect effect on the financial statements or internal control system (ICOFR) of that organization. In which case that organization might request that you perform such an audit, and provide the audit report to them proving that your organization’s controls are designed and operated effectively. However if your organization provides services to many clients it is also a good choice to have such an audit to prove your clients you implemented a high quality control environment, and their data is handled properly and securely.
On the other side, if your organization outsourced some business processes to a service organization, and if those services have a direct or indirect effect on the financial statements or internal control system (ICOFR) of your organization, than you might request a SAS 70 report from the service organization, that must undertake a SAS 70 audit. The report can provide information to you or to your financial auditor about the effectiveness of controls operated by the service organization (which is typically necessary in case of Sarbanes-Oxley audits). KPMG is capable of performing the SAS 70 / SSAE 16 / ISAE 3402 attestation audit, and prepare the required report, or can also provide advisory services in case of this will be the first audit year, and if your Company needs assistance with the implementation of the controls.