Statement on Auditing Standards (SAS) No. 70 is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA).  A  SAS 70 audit is widely respected because it demonstrates that a service organization has been through an in-depth audit of their control activities.  The audit generally includes controls over information technology and related processes.

SAS 70s are not required.  However any company that maintains sensitive data should consider a SAS 70 audits a priority.  Examples include companies that provide call centers, process electronic transactions, maintain e-commerce sites, or deliver online software applications (ASPs).

A SAS 70 Type II audit is an excellent tool to evaluate and compare the operations and security measures of a data center facility.  SAS 70 Type II audits are used by publicly traded companies to verify a vendor’s internal controls and security protocols as they relate to Sarbanes-Oxley compliance.  Even privately held companies in non-regulated industries can use the SAS 70 audit as an effective guide for evaluating data centers.

SAS Audit criteria are determined by the data center being evaluated. If the data center chooses not to set or measure a specific control objective, then it will not be included in the report. Companies should take care to assess the criteria included in the audit as carefully as the results.

Companies need to know what to look for before they put their data, equipment and systems at risk. If the data center you select has spent the time and money on an audit by a reputable firm, it shows that the data center has nothing to hide and is willing to prove it.