One of the most common questions financial services companies ask us is whether we have a SAS 70 data center certification. For those of you who aren’t familiar with the term, here’s the definition straight from the SAS 70 about page:
Statement on Auditing Standards (SAS) No. 70, Service Organizations, is a widely recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA). A service auditor's examination performed in accordance with SAS No. 70 ("SAS 70 Audit") is widely recognized, because it represents that a service organization has been through an in-depth audit of their control objectives and control activities, which often include controls over information technology and related processes. In today's global economy, service organizations or service providers must demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers. In addition, the requirements of Section 404 of the Sarbanes-Oxley Act of 2002 make SAS 70 audit reports even more important to the process of reporting on the effectiveness of internal control over financial reporting.
In short, SAS 70 certification means that you have control objectives, and that you adhere to them, as attested in an audit. And Sarbanes-Oxley puts a great deal of weight on the certification.
Before we had our SAS 70 certification, we had prospective clients choose an outsource data center with SAS 70 certification over our data center, even though we offered higher levels of uptime at lower prices.
The strange thing, in my opinion, is that the company seeking SAS 70 certification writes their own control objectives. Isn’t this asking the fox guarding the henhouse? If I’m clever enough to write vague, simplistic control objectives, I can obtain a SAS 70 certification without really having a well-run facility.
What do you think? Is a SAS 70 data center certification like a fox guarding the henhouse?