What companies really need some kind of SAS 70 auditing and verification?

Commonly, SAS 70 applies to companies that handle financial transactions, credit information, or other private data on a routine basis. However, if your company provides services that have to do with any industry where security of information is considered important, such as medical information, public security information, or insurance claims and information, you should consider at least using SAS 70 as a guide to help you prepare for implementing compliance.

You don’t need to worry about the specifics of your service provider’s compliance because there is no real hard set of rules that govern SAS 70 compliance. Each service provider’s rules and policies will be different because SAS 70 is a financial auditing statement, not a security policy certification. It concerns itself with assuring the appropriateness and efficacy of a service provider’s ‘controls’. Basically whatever the service provider deems to be important to control, it must have policies and procedures to do so and it must follow them in order for a SAS 70 audit to produce a ‘successful’ report.