What is a SAS 70 Audit?

Posted 3.10.09 by

Update: SAS 70 reports only on controls related to financial reporting. If you need assurance of controls directly related to data centers, including privacy, security and availability, look for a SOC 2 report.
SAS 70 was replaced by SSAE 16 in June 2011.

SAS-70 stands for the “State on Auditing Standards No. 70”. They were created to to identify organizations willing to hold themselves to a proven and higher standard of commitment. It’s essentially an audit of “controls” that you claim to have regarding physical and logical protection of your data center.

What is a “control”? It’s a process, policy or tool (hardware or software) you have in place designed to enforce a specific claim. For example, at Online Tech we have controls in place to make sure that only appropriate people have physical access to our data centers. Our SAS-70 audit then was conducted by having a 3rd party CPA visit Online Tech and confirm that the controls we claim to have are really in place.

There are two types of audits: Type 1 and Type 2. A type 1 audit is done for a specific point in time. The auditor will visit and confirm your controls were in place on a specific date when they visited. A type 2 audit is for a period of time, for example, a 6 month period. During that period of time the auditing firm will regularly visit and assure that during that period the controls were firmly in place as claimed.

Most organizations first get a type 1 then proceed, over-time to complete the type 2 audit. Once the type 2 audit is complete it is generally good for at least 6 months then the audit is done again to ensure compliance for the next year.

A SAS-70 audit is done by a CPA firm and a data security expert with experience in data center and network security. First the organization prepares a list of claimed controls. The auditors then visit, interview employees, review systems, procedures and documents to confirm that the claimed controls are in fact in place. Any controls that are not perfectly in place will get an “exception” notice. Ideally your SAS-70 report should have “no relevant exception” rating for every control.

As well the SAS-70 audit report will contain a “statement of controls” from the auditor. This statement gives an opinion as to whether or not these controls, taken together, are sufficient and consistent with typical practices for the type of services and work being performed.

The end result is that a data center with a SAS-70 audit is more likely to be secure and reliable.

About Otava

Otava provides the secure, compliant hybrid cloud solutions demanded by service providers, channel partners and enterprise clients in compliance-sensitive industries. By actively aggregating best-of-breed cloud companies and investing in people, tools, and processes, Otava’s global footprint continues to expand. The company provides its customers in highly regulated disciplines with a clear path to transformation through its effective solutions and broad portfolio of hybrid cloud, data protection, disaster recovery, security and colocation services, all championed by an exceptional support team. Learn more at www.otava.com.

Get in touch with an Otava Rep today – just provide us with a bit of information below to get started and we’ll reach out to you shortly!