Over the course of the last several months, we’ve been working with Weaver & Tidwell, L.L.P., a highly-regarded certified public accounting firm out of Fort Worth, to complete an exhaustive Statement on Auditing Standards No. 70 (SAS 70) Type II audit. Developed by the American Institute of Certified Public Accountants (AICPA), the widely recognized auditing standard certifies that The Planet has been through a rigorous evaluation of its internal processes and controls through an independent third-party auditor.
Voluntarily undergoing an exhaustive audit by a third-party that takes months to complete.
A SAS 70 Type II audit is certainly a big-time undertaking. Some even think starting the process of a future review is worthy of a dedicated blog post … we just got it done.
In the process of the audit, we checked and evaluated the controls and processes for our network, customer provisioning systems, physical and environmental security, problem management and resolution through our customer portal, human resources department organization and administration, data center operations, and most importantly, our data centers themselves.
Daniel Golding, vice president and research director for Tier1 Research explains the significance of SAS 70 compliance in the context of the hosting industry:
Hosting providers that want to offer meaningful IT services to larger enterprises see SAS 70 as the means of both meeting Sarbanes-Oxley auditing requirements, while reassuring IT decision makers that their processes, facilities and staff are capable of providing true enterprise-grade services.
The Sarbanes-Oxley legislation consists of standards required of every public company and important to any company considering/anticipating an IPO. In searching for additional reference information on the significance of SAS 70 to SOX compliance, I came across a great resource: www.sas70.com. The site has a dedicated Sarbanes-Oxley page, where the significance of a Type 2 audit masterfully described:
Section 404 [of Sarbanes-Oxley] draws attention to the significant processes that feed and comprise the financial reporting process for an organization. In order for management to make its annual assessment on the effectiveness of its internal control, management is required to document and evaluate all controls that are deemed significant to the financial reporting processes. If the organization uses a service provider to process transactions, host data, or other signficant services, management may need to evaluate the design and test the operating effectiveness of the service organization’s controls.
Management will either need to conduct an evaluation of the service organization’s controls, or management may obtain a Type II SAS 70 service auditor’s report from the service organization, if a service auditor has been engaged, to gain an understanding of the service organization’s controls. The relevant audit guidance for SAS 70 already requires that a service auditor’s report contain information on the five components of internal control as it relates to the service organization.
The difference between a Type I audit and Type II audit is pretty significant: Both say “we have well-designed processes, controls and goals,” but the Type II audit must show that the controls and processes have been practiced and they were successful in achieving the initial goals. The proof is in the pudding.
What Does It Mean?
It’s clear that the successful completion of the SAS 70 Type II review is important to all of our customers. It reinforces our commitment to providing the best hosting experience in the industry. Our processes, practices, procedures and controls have been tested and have been proven successful in helping us achieve our operational goals.
-Kevin
