Browse: Home / / What is a SAS 70 Audit?

What is a SAS 70 Audit?

By Online Tech on March 10, 2009

Why Data Centers Should Have Audits

SAS-70 stands for the “State on Auditing Standards No. 70”. They were created to to identify organizations willing to hold themselves to a proven and higher standard of commitment. It’s essentially an audit of “controls” that you claim to have regarding physical and logical protection of your data center.

What is a “control”? It’s a process, policy or tool (hardware or software) you have in place designed to enforce a specific claim. For example, at Online Tech we have controls in place to make sure that only appropriate people have physical access to our data centers. Our SAS-70 audit then was conducted by having a 3rd party CPA visit Online Tech and confirm that the controls we claim to have are really in place.

There are two types of audits: Type 1 and Type 2. A type 1 audit is done for a specific point in time. The auditor will visit and confirm your controls were in place on a specific date when they visited. A type 2 audit is for a period of time, for example, a 6 month period. During that period of time the auditing firm will regularly visit and assure that during that period the controls were firmly in place as claimed.

Most organizations first get a type 1 then proceed, over-time to complete the type 2 audit. Once the type 2 audit is complete it is generally good for at least 6 months then the audit is done again to ensure compliance for the next year.

A SAS-70 audit is done by a CPA firm and a data security expert with experience in data center and network security. First the organization prepares a list of claimed controls. The auditors then visit, interview employees, review systems, procedures and documents to confirm that the claimed controls are in fact in place. Any controls that are not perfectly in place will get an “exception” notice. Ideally your SAS-70 report should have “no relevant exception” rating for every control.

As well the SAS-70 audit report will contain a “statement of controls” from the auditor. This statement gives an opinion as to whether or not these controls, taken together, are sufficient and consistent with typical practices for the type of services and work being performed.

The end result is that a data center with a SAS-70 audit is more likely to be secure and reliable.

  • Share/Bookmark
2 Comments

Posted in | Tagged

Online Tech

2 responses to “What is a SAS 70 Audit?”

  1. What to Look for from a SAS-70 Hosting Provider
    September 7, 2009 at 5:11 pm |

    [...] blog posts on SAS70:  What is a SAS70 Audit? 5 Reasons to Choose a SAS70 Audited Colocation [...]

  2. SAS 70 Type II Audit Complete for Online Tech’s Three Data Centers
    October 20, 2009 at 10:58 am |

    [...] What is a SAS70 Audit? Explaination of the audit and why data centers should have audits. [...]

Leave a Reply