03-10-09 | Blog Post
Update: SAS 70 reports only on controls related to financial reporting. If you need assurance of controls directly related to data centers, including privacy, security and availability, look for a SOC 2 report.
SAS 70 was replaced by SSAE 16 in June 2011.
SAS-70 stands for the “State on Auditing Standards No. 70”. They were created to to identify organizations willing to hold themselves to a proven and higher standard of commitment. It’s essentially an audit of “controls” that you claim to have regarding physical and logical protection of your data center.
What is a “control”? It’s a process, policy or tool (hardware or software) you have in place designed to enforce a specific claim. For example, at Online Tech we have controls in place to make sure that only appropriate people have physical access to our data centers. Our SAS-70 audit then was conducted by having a 3rd party CPA visit Online Tech and confirm that the controls we claim to have are really in place.
There are two types of audits: Type 1 and Type 2. A type 1 audit is done for a specific point in time. The auditor will visit and confirm your controls were in place on a specific date when they visited. A type 2 audit is for a period of time, for example, a 6 month period. During that period of time the auditing firm will regularly visit and assure that during that period the controls were firmly in place as claimed.
Most organizations first get a type 1 then proceed, over-time to complete the type 2 audit. Once the type 2 audit is complete it is generally good for at least 6 months then the audit is done again to ensure compliance for the next year.
A SAS-70 audit is done by a CPA firm and a data security expert with experience in data center and network security. First the organization prepares a list of claimed controls. The auditors then visit, interview employees, review systems, procedures and documents to confirm that the claimed controls are in fact in place. Any controls that are not perfectly in place will get an “exception” notice. Ideally your SAS-70 report should have “no relevant exception” rating for every control.
As well the SAS-70 audit report will contain a “statement of controls” from the auditor. This statement gives an opinion as to whether or not these controls, taken together, are sufficient and consistent with typical practices for the type of services and work being performed.
The end result is that a data center with a SAS-70 audit is more likely to be secure and reliable.
