Certified Localized Data Centers
Anyone preparing to comply with important legislation such as Sarbanes-Oxley, HIPAA, or Gramm-Leach-Bliley, or even Federal Rules 26 and 34* understands the need to partner with those who have performed the due diligence to ensure our standards exceed that of the typical co-location industry.
SOS Online Backup has made the commitment as well as dedicated the time and resources to guarantee that it works with a qualified partner. Making the time and devoting the resources to a SAS 70 audit is a significant process. Statement on Auditing Standards (SAS) No. 70, Service Organizations, is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA). A SAS 70 audit or examination is widely recognized, because it represents that a service organization has been through an in-depth audit of their control activities, which generally include controls over information technology and related processes.
In today’s global economy, service organizations or service providers must demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers. SAS No. 70 is the authoritative guidance that allows service organizations to disclose their control activities and processes to their customers and their customers’ auditors in a uniform reporting format. A SAS 70 examination signifies that a service organization has had its control objectives and control activities examined by an independent accounting and auditing firm. A formal report including the auditor’s opinion (“Service Auditor’s Report”) is issued to the service organization at the conclusion of a SAS 70 examination. SAS 70 provides guidance to enable an independent auditor (“service auditor”) to issue an opinion on a service organization’s SOS Online Backup option of controls through a Service Auditor’s Report (see below).
SAS 70 Objectives
SAS 70 is not a pre-determined set of control objectives or control activities that service organizations must achieve. Service auditors are required to follow the AICPA’s standards for fieldwork, quality control, and reporting. A SAS 70 examination is not a “checklist” audit. SAS No. 70 is generally applicable when an auditor (“user auditor”) is auditing the financial statements of an entity (“user organization”) that obtains services from another organization (“service organization”).
Service organizations that provide such services could be application service providers, bank trust departments, claims processing centers, internet data centers, or other data processing service bureaus. In an audit of a user organization’s financial statements, the user auditor obtains an understanding of the entity’s internal control sufficient to plan the audit as required in SAS No. 55, Consideration of Internal Control in a Financial Statement Audit.
Identiication and Evaluation
Tier four data centers
Identifying and evaluating relevant controls is generally an important step in the user auditor’s overall approach. If a service organization provides transaction processing or other data processing services to the user organization, the user auditor may be required to gain an understanding of the controls at the service organization.
* Overview Federal Rules of Civil Procedure Rule 26: General Provisions Governing Discovery; Duty of Disclosure Rule 34: Production of Documents and Things and Entry Upon Land for Inspection and Other Purposes