SAS 70 Compliance for Data Center Providers

The American Institute of Certified Public Accountants (AICPA) certification termed “SAS 70” helps customers know that their data center provider has effective internal controls in place.

Nathan Hatch is President and CEO of C7 Data Centers, a privately held company focused on providing high-value data center solutions for colocation, disaster recovery, data backup and virtualization.

Nathan HatchNATHAN HATCH
C7 Data Centers

Customers want to know that they can trust their data center provider to meet the most rigorous controls standards, demanding accountability and transparency. The American Institute of Certified Public Accountants (AICPA) created a “Statement of Auditing Standards” certification termed “SAS 70” to help customers know that their data center provider has effective internal controls in place for managing the design, implementation and execution of customer information.

The basic certification is called SAS 70 type I, which an independent service auditor assigns after a thorough review of the degree to which a data center provider fairly represents its services in regards to the operational controls that have been implemented to meet set objectives.

Examples of internal controls measured include:

  • Aspects of the service organization's control environment; risk assessment processes; information and communication processes; and monitoring processes that may affect the services provided to user organizations, as it relates to an audit of financial statements;
  • Control objectives and related controls; and
  • Complementary controls that may be required at user organizations.

After the independent service auditor assess the internal controls, a statement and opinion are given as to whether the controls are suitably designed to achieve the objectives of the control measures. An opinion and statement in the affirmative by the auditor is a SAS 70 type I certification.

The SAS 70 type II certification is similar to the type I certification. However, an additional section is added which includes the service auditor’s opinion on how effectively the controls operated during the defined review period (which is usually six months, but can be longer).

Data center providers should have the SAS 70 type I and type II certifications on hand for their customers to review. By certifying the internal control measures, providers can attract a more sensitive customer base seeking a transparent data center partner, and provide a renewed level of confidence for both customers and data center operators. Take the time to consider all aspects of certifications as they relate to operating. Performing this evaluation will increase dividends for all involved.

Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish