Update: SAS 70 reports only on controls related to financial reporting. If you need assurance of controls directly related to data centers, including privacy, security and availability, look for a SOC 2 report.
SAS 70 was replaced by SSAE 16 in June 2011.
A “SAS 70 audited” data center is a label used by many hosting companies to help show the value of their services but what does it really mean to be hosted in one?
- What is a SAS 70 audit and how does it differ from other audits?
- How are they conducted?
- Are all SAS 70 Audits the same?
- Why should my company care if we are hosted in a SAS 70 audit?
Hopefully this article will help answer some of these questions for you.
At a very basic level, What is a SAS 70 Audit?
As with any audit, a third party is hired to evaluate and give their expert opinion on a specified issue. A SAS 70 audit is no different in that regard, but has special implications for not only hosting companies but all service organizations.
Very simply, a SAS 70 audit is a way for service organizations to be evaluated by a third party on the validity or “fairness” of their stated services and to ensure that the proper business processes and procedures are “suitable designed” and “complied with satisfactorily.”
The term “SAS 70” or Statement on Auditing Standards No. 70, refers to a document that provides auditing standards for performing this specific type of audit on service organizations and is issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA). So when a SAS 70 audit is conducted, it is done through the guidance of this Statement (Statement of Auditing Standards PDF) and by an independent, third party, auditor.
Why are SAS 70 Audits Conducted?
Depending on the company and the business they are in, there a variety of reasons why a business would want a SAS 70 audit conducted. Some audits, depending on the industry, are mandated by law while others simply bring value added to their clients. All service organizations serious about their internal controls and improving them, should think about conducting a SAS 70 audit on thier business. The motivation behind a data center becoming SAS 70 audited is that it can better prove to potential clients that the claims they make about their security procedures, their change management practices, and the quality of their services are validated by a party independent from the hosting company.
This is invaluable in creating trust between the hosting company and potential clients and can help lead to further improvements in their internal controls down the line. Beyond that, it also opens doors for new clients that must (required by law) to host their data/servers in a data center that has certain guidelines related to data security which it must follow and which a SAS 70 audit can prove are being preformed. The basket of these types of businesses that are mandated to have certain data privacy and safeguards in place continues to grow, as has the importance and demand of [insert law/act here (acts/standards include but are not limited to GLBA, HIPPA, PCI DDS, and SOX)] compliant data centers.
What does a SAS 70 Audit Guarantee?
There are no standard internal controls that auditors evaluate in a SAS 70 audit. Auditors only evaluate the controls that the business claims to have (which is written out in full in the report). It is the auditor’s job to evaluate the claims made and presented to them, which is why the scope of the audit is very important. If you claim too few controls, the audit is easier for the business but isn’t worth much to potential clients. If you claim too much, then the auditor’s will undoubtedly write an unfavorable evaluation.
Because of this variation from audit to audit, it is important to have a look at a potential data center’s audit report to see what they are claiming as well as the auditor’s evaluation of those claims.
Another aspect of the auditing process that you should be aware of is that there are two types of reports. Type I and Type II.
- Type I – Evaluates of fairness of a service organization’s description of their internal controls. This is usually only done when a company has first started the auditing process.
- Type II – Includes the Type I report and evaluates how the controls were operating over a set period of time. Usually this is 6 months. From when the Type I audit was first conducted to 6 months thereafter.
Why Is a SAS 70 Data Center Important for My Business?
At the end of the day, it shows that the data center operator says what it does, and does what it says. This is very important for any company that has data critical to their business. Having you servers in a SAS 70 audited data center can give you the peace of mind that they are following through with their promises and that your data is safe. Just make sure to get a good look at the audit before committing to one data center over the other.
- Five Reasons to Choose a SAS 70 Audited Colocation Provider
5 benefits of hosting with a SAS 70 audited data center operator.
- Frequently Asked Questions about SAS 70
Common questions about SAS 70 audits answered.
- What is a SAS 70 Audit?
Definition and explanation from a data center perspective.