SAS 70 Compliance for Data Center Providers

5 comments

Nathan Hatch is President and CEO of C7 Data Centers, a privately held company focused on providing high-value data center solutions for colocation, disaster recovery, data backup and virtualization.

Nathan HatchNATHAN HATCH
C7 Data Centers

Customers want to know that they can trust their data center provider to meet the most rigorous controls standards, demanding accountability and transparency. The American Institute of Certified Public Accountants (AICPA) created a “Statement of Auditing Standards” certification termed “SAS 70” to help customers know that their data center provider has effective internal controls in place for managing the design, implementation and execution of customer information.

The basic certification is called SAS 70 type I, which an independent service auditor assigns after a thorough review of the degree to which a data center provider fairly represents its services in regards to the operational controls that have been implemented to meet set objectives.

Examples of internal controls measured include:

  • Aspects of the service organization’s control environment; risk assessment processes; information and communication processes; and monitoring processes that may affect the services provided to user organizations, as it relates to an audit of financial statements;
  • Control objectives and related controls; and
  • Complementary controls that may be required at user organizations.

After the independent service auditor assess the internal controls, a statement and opinion are given as to whether the controls are suitably designed to achieve the objectives of the control measures. An opinion and statement in the affirmative by the auditor is a SAS 70 type I certification.

The SAS 70 type II certification is similar to the type I certification. However, an additional section is added which includes the service auditor’s opinion on how effectively the controls operated during the defined review period (which is usually six months, but can be longer).

Data center providers should have the SAS 70 type I and type II certifications on hand for their customers to review. By certifying the internal control measures, providers can attract a more sensitive customer base seeking a transparent data center partner, and provide a renewed level of confidence for both customers and data center operators. Take the time to consider all aspects of certifications as they relate to operating. Performing this evaluation will increase dividends for all involved.

Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.

Add Your Comments

  • (will not be published)

5 Comments

  1. Tushar

    Hello Mr. Hatch, How often do you see Data Centers use ISO 17799/27002 as a basis for certification of their controls?

  2. Great Write-up, The SAS70 Type II is a great way to have a 3rd Party Audit your Security and Control Objectives that a Datacenter puts in place. It is generally a must have for some of the Financial customers we face.

  3. SAS 70 is a must for health care provider also due to increasing level of regulatory and compliance requirements.

  4. Just came across this and wanted to offer a quick update. Last spring, a new standard took effect for U.S.-based colocation, cloud, managed hosting and other services providers — the Statement on Standards for Attestation Engagements No. 16, the SSAE 16. Created by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA), the SSAE 16 replaces the SAS 70 for periods ending after June 15, 2011. Why a new standard? Largely, SSAE 16 reflects AICPA’s efforts to converge the U.S. auditing standard with the international standard (not merely regional or national standards), and in the process, set a higher bar by refining the procedures for auditing a service provider’s internal controls. - Laurie Head, VP, AIS Network Cloud Hosting (http://www.aisn.net)