Ali Gheewala, of Gheewala CPA PLLC, is a Certified Public Accountant specializing in conducting SAS 70 audits throughout the nation and helping data centers become SAS 70 Certified.
The data center market experienced a boom in the first decade of the 21st century, but this boom came with a price. We are now in the "age of regulation," and government compliance is becoming increasingly crucial for data centers. Public companies, by nature, are required to be Sarbanes-Oxley (SOX) compliant, and both public and private firms, are required to be HIPAA compliant. As such, data center operators have budgeted for huge costs and workloads for SAS 70 Audits. SAS 70 audits satisfy the SOX 404 reporting requirement, which requires an annual report on the effectiveness of the organization’s internal controls.
So what is a SAS 70 Audit? In brief, SAS 70 Audit is a widely recognized auditing standard developed by the American Institute of Certified Public Accounts (AICPA) for the third-party assessment of service organizations, such as data centers.
It can be conducted solely on the fairness of the presentation of the service organization's description of controls that had been placed in operation and the suitability of the design of the controls to achieve the specified control objectives, known as a Type I audit report. The audit can also be conducted to adhere to regulatory compliance via a Type II audit report. Type II audit report includes the information contained in a Type I audit report and also includes the service auditor's opinion on whether the specific controls were operating effectively during the period under review.
Benefits of SAS Audit
The upside for a SAS 70 audit is that it serves as a potent marketing tool for attracting new customers, in addition to the compliance requirements. A SAS 70 audit report provides assurance to customers (user organizations) that their data center provider has effective internal controls in place. Additionally, the customers will rely on and utilize the SAS 70 audit report in conjunction with their own audits as a cost savings strategy.
SAS 70 audits are heavily relied upon by the customers, and therefore, Data Centers that are not SAS 70 certified could potentially see their customer base decline. Additionally, most government contracts require Data Centers to be SAS 70 Certified. The enhanced reliance on SAS 70 audit reports has resulted in many private companies undergoing SAS 70 audits in order to increase their marketability and customer base, as well as to effectively compete with other Data Centers who are already SAS 70 certified.
Advantages to Data Center Clients
A SAS 70 audit offers other potential benefits to data centers. The following are just a few examples of the potential benefits that our clients have expressed:
- The SAS 70 audit report allows data centers to provide customers with independent third-party verification regarding the operating effectiveness of its internal controls.
- The SAS 70 audit report can be used by a user organization’s financial statement auditors as a substitute for those parties performing their own first-hand audit procedures. In fact, SOX auditing regulations identify the Type II SAS 70 audit report as the only acceptable substitute for an auditor performing their own first-hand testing of a service organization’s controls.
- The SAS 70 audit report helps a service organization build trust with its user organizations (i.e., customers).
- A SAS 70 audit also presents an opportunity to gain a competitive advantage over rivals lagging in development of a comprehensive internal control assurance process.
- If properly designed, the SAS 70 audit can provide benefits similar to an internal audit function for service organizations that do not currently have an internal audit department. Very often this process results in the identification of opportunities for improvements in many operational areas.
- A SAS 70 audit is fairly straight forward, as the service organization defines its control objectives with the collaborative efforts of the CPA and other professionals involved in the audit process. The control objectives, at the minimum, entail what the service organization is marketing and offering to its clients such as the degree of security within its data center facility, innovative equipment, secured infrastructure and other enhanced services of the data center offered to its customers. With ever-changing technology, experienced SAS 70 auditors provide recommendations on improving and strengthening the control environment while conducting the SAS 70 audit.
Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.