SAS 70 Type II is the most widely recognized professional auditing standard. Developed by AICPA (American Institute of Certified Public Accountants), SAS 70 represents the professional guidelines that CPAs (certified public accountants) must follow when conducting audits. SAS 70 Type II compliance signifies the most stringent form of professional examination. An audit based on this level of compliance certifies that a hosting provider has had its control objectives and activities examined by a qualified independent accounting and auditing firm. SAS 70 Type II adherence demonstrates that a provider maintains adequate processes and safeguards when it hosts or processes customer data. An SAS 70 Type II audit is a major undertaking for any hosting provider, which has much to gain or lose depending on the audit’s outcome. Key areas of analysis include:
- Computer and network operations
- Network security
- Business physical security
- Datacenter physical security
- Business-environment security
- Datacenter-environment security
- Logical security
- Business continuity and disaster-recovery planning
- Change management for applications and solutions
- Executive and senior management
- Decision-making processes
- Human resources