In the world of IT, Hosting, and Network Administration we hear a lot of jargon, acronyms, and other confusing terms. Some of the most dreaded of these have to do with auditing and certification procedures. Here is the good news, if they ask for you to comply with a SAS 70 Audit, you’re going to get to tell them all about how you are ready to write your own policies and be in compliance with them! Your audit will be a breeze! Well, it can be anyway.
First, you need to know the basics of SAS 70, which is what I will cover with my next eight installments, beginning with:
Installment #1: What is SAS 70? Do you need SAS 70 auditing?
SAS 70, or Statement on Auditing Standards No. 70: Service Organizations, is an auditing statement issued by the Auditing Standards Board of the American Institute of Certified Public Accountants. It is basically a guide for auditors to use when checking the internal controls and policies of a service provider that is heavily involved with any financial factor for a given company. Essentially, if your company relies on a particular service provider for a service that either costs or makes your company a significant portion of your revenue, you probably need to have them submit to a SAS 70 audit or at least have them provide credentials to the effect that they have done so in the past year.
For example, if your company sells tropical fish and you have a website where most of your orders are submitted and processed, you probably should ask your website host, and possibly your website design company, if they have been audited for SAS 70.
The benefits of choosing a SAS70 certified company are as reciprocal as they are perpetual. A certified company should be able to provide an Independent Service Auditor’s Report that details its controls on request, eliminating the need to obtain your own auditor and incur all relevant costs to report on the same controls. Of course, this specific benefit is entirely dependent upon how important the security of your company’s data is to you and your clients, which leads into the perpetual benefits.
If you’re questioning the importance of your data, some important questions you should consider are:
- Do you routinely manage sensitive data in your line of business?
- Is the security of your clients’ information an object of concern?
- What is the manner of your business; would it be beneficial to you to become SAS70 certified?
If so, you should be very particular about where you store your data. Many data centers have become SAS70 certified for this very reason, as a convenience and assurance to their customers that they, in turn, can qualify for SAS70 certification if the need arises, because their data is stored in a regulated, certified facility.
It will be interesting to see as the threat of cyber-crime rises, the paralleled elevation of awareness and demand for SAS70 certified service organizations, in which case, your decision to choose and/or become a SAS70 certified company can be considered a preemptive strategy that will secure your customers’ trust and loyalty.
A SAS70 audit is performed for organizations both as a demonstration of openness and accountability as well as for convenience. Essentially, when a company engages with an Independent Service Auditor for SAS70 certification, it opens up its inner workings to a scrupulous review of its control processes and objectives, which is valuable information for user organizations that are considering doing business with that company.
For many user organizations, knowing their vital company data is secure and appropriately managed with a given service organization is critical, and a Service Auditor’s SAS70 report contains just the information they need to know to make their decision.
As to the issue of convenience, a service organization with a current Service Auditor’s Report can issue a single report to individual queries from users rather than satisfy and experience multiple audit requests from any number of users. In this way, obtaining SAS70 certification can be a great investment of time and resources.
When you certify is really up to you, and before you decide, you should consider these few questions:
- How important is it to your current and potential clients that your internal processes have been cross-checked and officially cleared?
- How often do you experience audit requests from customers and has it reached the point that a single report would make a significant difference in the way you spend your time?
- Have you been looking for a way to have your control policies and procedures evaluated and tested if only for the opportunity to improve your current operations?
If you’ve answered yes to any one of these questions, perhaps SAS70 certification is something you should look at a little more closely.
Since the Sarbanes Oxley Act of 2002, there have been some pretty stringent requirements placed on the accounting and auditing industry. Among those standards is the Statement on Auditing Standard 70 (or SAS 70), which is an ultra-detailed measure of qualification for service organizations.
There are a number of advantages for service organizations which have been SAS 70 certified, including a detailed auditor’s report that states that their operations have been assessed and validated by a third party, documentation that can be persuasive when you show them to potential clients, especially for clients that must also abide by SAS 70 in their line of business.
NetHosting is operated out of a fully SAS 70 certified data center which received its certification after a scheduled review by an independent service auditor.
In a recent press release issued by the company, the CEO of NetHosting was quoted to say, “Transparency in business is vital to gaining the trust of our clientele, and complying with SAS 70 has allowed us the opportunity not only to subject our processes to a structured audit, but to then publish the results in a detailed and organized report for anyone to see. Our compliance with PCI, in addition to SAS 70, is a good example of our commitment to being a business our clients can trust.”
NetHosting became PCI compliant in April of last year, establishing itself as the first PCI compliant data center in Utah.