The purpose of this paper is to discuss the SAS 94 audit standards for organizations making extensive use of IT. The paper is divided into two major parts: (1) an examination of complex information technologies in terms of audit risk, and (2) the effect of SAS-94 on the audit processes. While growing organizations often embrace risk, these risks should not be taken blindly. These entities should have a clear understanding of the potential consequences of increased risk and how to insure positive outcomes. As firms are increasingly experiencing 'virtualization' in their relationships with suppliers, partners and consumers, there is an increasing need for trust and assurance in these relationships. There is greater pressure on independent auditors to attest to this trust and assurance. Ronen & Cherny (2002) indicated that independent auditors are expected to be trust providers to the level of being 'insurers'. Auditors have talked of 'reasonable assurance' and 'true and fair presentation' but now their stakeholders expect these auditors to be insurers of their investment! While bizarre, this is a reality for auditors (Barrier, 2002). In this outsourced scenario, the American Institute of Certified Public Accountants (AICPA) promulgated a new statement of auditing standards (SAS) No. 94, replacing the SAS-55; however, it keeps the definition of 'internal controls' unchanged.