Understanding The SAS 70 Audit And Its Benefits
SAS 70 Overview:
Statement on Auditing Standards (SAS) No. 70, Service Organizations, is a widely recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA). A service auditor's examination performed in accordance with SAS No. 70 (also commonly referred to as a "SAS 70 Audit") is widely recognized, because it represents that a service organization has been through an in-depth audit of their control objectives and control activities, which often include controls over information technology and related processes. In today's global economy, service organizations or service providers must demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers. In addition, the requirements of Section 404 of the Sarbanes-Oxley Act of 2002 make SAS 70 audit reports even more important to the process of reporting on the effectiveness of internal control over financial reporting.
SAS No. 70 is the authoritative guidance that allows service organizations to disclose their control activities and processes to their customers and their customers' auditors in a uniform reporting format. The issuance of a service auditor's report prepared in accordance with SAS No. 70 signifies that a service organization has had its control objectives and control activities examined by an independent accounting and auditing firm. The service auditor's report, which includes the service auditor's opinion, is issued to the service organization at the conclusion of a SAS 70 examination.
I2B Networks will provide a copy of our SAS 70 Type II Audit report to prospective customers as well as current colocation customers. Please request a copy of this report by contacting an I2B Networks representative.
Type I vs. Type II SAS 70 Audit:
A Type I report describes the service organization's description of controls at a specific point in time (e.g. June 30, 2010). A Type II report not only includes the service organization's description of controls, but also includes detailed testing of the service organization's controls over a minimum six month period (e.g. January 1, 2010 to June 30, 2010).
SSAE 16 Overview:
Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, was finalized by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) in January 2010. Once issued, SSAE 16 will effectively replace SAS 70 as the standard for reporting on service organizations. It is expected that SSAE 16 will be formally issued in June 2010 with an effective date of June 15, 2011. SSAE 16 was drafted with the intention and purpose of updating the US service organization reporting standard so that it mirrors and complies with the new international service organization reporting standard – ISAE 3402.
For service organizations that currently have a SAS 70 service auditor's examination ("SAS 70 audit") performed, some changes will be required to effectively reporting under the new SSAE 16 standard. However, it is currently anticipated that these changes will not be significant.
Five Reasons to Choose a SAS-70 Audited Colocation Provider
If you're thinking of building out your own data center, don't forget to budget SAS-70 auditing costs. They can easily run over $100,000 per year. Or, when you outsource your data center, selecting a vendor who has already made the SAS-70 investments saves you on investing in these same costs and other security costs. For example, by sharing a copy of the SAS-70 report from your co-location provider to your PCI or CISP provider you can often reduce the costs for those audits.
Co-location providers all claim to be secure. But a provider who voluntarily goes through a SAS-70 audit is paying more than lip service. They have hired a third party auditor to test and confirm the controls that underlie the ability to truly deliver a secure environment. While you can do your own visits to make sure a datacenter is secure, and your own network review to make sure a network is secure, it's much more difficult to confirm the riskiest portion of data center operations – the processes.
Today's 7×24 always-on hosted world requires some of the highest reliabilities the industry has had to deliver. Leading the charge is redundancy – of everything. Redundancy of power, network, servers, storage and even entire data centers make up the bulk of the investment towards every higher degrees of reliability. A SAS-70 audit ensures that claims of backup systems including generator for power, additional cooling units and UPS (Universal Power Supply) infrastructure are in place and properly managed.
Hardware failure can often be attributed to lack of preventative maintenance of critical infrastructure components and other "pre-failure investments". The SAS-70 audit assures that any claim of preventative maintenance is backed up with proper documentation and service records.
SAS-70 has become a well known and respected standard for data centers. Claiming you use only SAS-70 audited providers is a strategic advantage. By selecting a SAS-70 provider, you show your prospects and clients that you take security seriously. To be competitive with any hosted application (e.g. SaaS), you will have to host your information in a SAS-70 audited environment.
A SAS-70 data center may be required for you to win clients in certain regulated industries. Certain types of data, by regulation, require that physical, logical and process controls be in place. Specifically, Section 404 of Sarbanes-Oxley, calls for testing of internal IT controls that relate to financial reporting, even for outsourced IT functions. HIPAA also has specific data handling controls that can be confirmed with a SAS-70 audit report. PCI and CISP compliance can be more easily accomplished by starting with a SAS-70 audit.