SAS 70 Type II
June 30, 2008 by Kevin Hazard, Web Hosting Evangelist in Data Centers, The Planet
Over the course of the last several months, we’ve been working with Weaver & Tidwell, L.L.P., a highly-regarded certified public accounting firm out of Fort Worth, to complete an exhaustive Statement on Auditing Standards No. 70 (SAS 70) Type II audit. Developed by the American Institute of Certified Public Accountants (AICPA), the widely recognized auditing standard certifies that The Planet has been through a rigorous evaluation of its internal processes and controls through an independent third-party auditor.
Voluntarily undergoing an exhaustive audit by a third-party that takes months to complete.
A SAS 70 Type II audit is certainly a big-time undertaking. Some even think starting the process of a future review is worthy of a dedicated blog post … we just got it done.
In the process of the audit, we checked and evaluated the controls and processes for our network, customer provisioning systems, physical and environmental security, problem management and resolution through our customer portal, human resources department organization and administration, data center operations, and most importantly, our data centers themselves.
Daniel Golding, vice president and research director for Tier1 Research explains the significance of SAS 70 compliance in the context of the hosting industry:
Hosting providers that want to offer meaningful IT services to larger enterprises see SAS 70 as the means of both meeting Sarbanes-Oxley auditing requirements, while reassuring IT decision makers that their processes, facilities and staff are capable of providing true enterprise-grade services.
The Sarbanes-Oxley legislation consists of standards required of every public company and important to any company considering/anticipating an IPO. In searching for additional reference information on the significance of SAS 70 to SOX compliance, I came across a great resource: www.sas70.com. The site has a dedicated Sarbanes-Oxley page, where the significance of a Type 2 audit masterfully described:
Section 404 [of Sarbanes-Oxley] draws attention to the significant processes that feed and comprise the financial reporting process for an organization. In order for management to make its annual assessment on the effectiveness of its internal control, management is required to document and evaluate all controls that are deemed significant to the financial reporting processes. If the organization uses a service provider to process transactions, host data, or other signficant services, management may need to evaluate the design and test the operating effectiveness of the service organization’s controls.
Management will either need to conduct an evaluation of the service organization’s controls, or management may obtain a Type II SAS 70 service auditor’s report from the service organization, if a service auditor has been engaged, to gain an understanding of the service organization’s controls. The relevant audit guidance for SAS 70 already requires that a service auditor’s report contain information on the five components of internal control as it relates to the service organization.
The difference between a Type I audit and Type II audit is pretty significant: Both say “we have well-designed processes, controls and goals,” but the Type II audit must show that the controls and processes have been practiced and they were successful in achieving the initial goals. The proof is in the pudding.
What Does It Mean?
It’s clear that the successful completion of the SAS 70 Type II review is important to all of our customers. It reinforces our commitment to providing the best hosting experience in the industry. Our processes, practices, procedures and controls have been tested and have been proven successful in helping us achieve our operational goals.
-Kevin
July 1st, 2008 at 1:37 pm
What I find interesting is that you now have this after a recent disaster with a ton of oh sorry, we should have thought of that’s. I wonder if the dc portion of your audit is qualified. How can you write about processes and procedures when all you could do was retroactively say we are sorry instead of proactively not have the issue. Blame whatever piece of equipment you wish. The outage was your fault and SAS70 would have caught it had you audited correctly.
July 1st, 2008 at 3:19 pm
Hi Eddie,
Thank you for your feedback. It seems like there is a bit of confusion: our SAS 70 audit of processes and procedures was performed by a qualified, certified and highly-regarded third-party accounting firm. This should not be confused with some kind of one-time inspection of equipment. While I’m not sure how you were affected by the outage, your points are worth discussing.
Our data centers are monitored and inspected by our team of trained staff, and maintenance is performed regularly to ensure equipment functions properly, and I’m sure the process of inspection and repair is taken into account by the audit. What I don’t understand is how you think these inspections, or even SAS 70 (as an audit) would have recognized a future electrical short in a conduit under a parking lot running between a utility transformer and our electrical room.
The empathy we expressed should not be taken as a lack of preparedness, rather it is an understanding of the significance of the impact the event had on our customers and the sincere desire to use our processes and procedures to return to business as usual as quickly as possible.