IT departments at publicly owned companies are well aware of compliance issues surrounding the Sarbanes-Oxley Act. But public companies that outsource data center responsibilities also have to manage operations, even if someone else is hosting them. To make that process easier on the outsourcer and the customer, some data centers are adopting SAS 70 certification.
What is it?
The American Institute of Certified Public Accountants developed the Statement on Auditing Standards (SAS) No. 70. Organizations that successfully complete a SAS 70 audit have been through an in-depth audit of their control activities, including controls over IT and related processes. SAS 70 allows a company to provide a third-party certification of its internal controls to customers.
SAS 70 data centers have to maintain prescribed levels of data security and redundancy, as well as personnel controls. These requirements include reporting on the following:
In addition, data center staff cannot access servers or data without a specific procedure. All access and activity is logged. And all physical access is highly controlled.
"In a SAS 70 data center you have to badge out. You have to use and authenticated security badge with an automated system. Prior to SAS 70, no one had to badge in and out. And you have to provide reports of all of that access to customers," Denis Martin, chief technology officer of NaviSite Inc., an Andover, Mass.-based data center outsourcer.
Who uses it?
Any publicly owned company that outsources IT responsibilities should know about SAS 70 certification. With the growing amount of data that needs to be saved -- down to the instant message level -- a third-party certification that manages part of that responsibility can be helpful.
Publicly owned highway safety product manufacturer, Quixote Corp., outsources its PeopleSoft supply chain application to NaviSite. The Chicago-based company was one of NaviSite's first publicly owned customers.
"Quixote is a publicly owned company, so if NaviSite has control of some of our IT and financial operations, we have to be sure they're complying with SOX. So in lieu of us going in and documenting their processes, Ernst & Young goes in and does it instead," said David Schmoeller, CIA for Quixote.
Who performs the audits?
Ernst & Young performs NaviSite's certification process, but there are several certified public accounting firms that specialize in SAS 70 certification -- just as there are a number of outsourcers that provide SAS 70 compliant environments.
According to Martin, SAS 70 is very expensive, but it's the cost of doing business with public companies. Ernst & Young performs two audits on NaviSite a year to keep up with customers' fiscal earnings reports.
Organizations get a certification from the auditor at the end of the process, which covers everything from how hardware is provisioned to who touches what, detailing the physical security in the space.
What will it do for you?
Though SAS 70 is essentially an accounting standard, it does offer benefits to IT departments when selecting an outsourced data center. The certification gives outsourcers an advantage over competitors.
In addition, it saves companies from having to go in and document the processes themselves.
"It's a time saver and a money issue as well. We would have to hire a consulting firm to audit our data center operators," Schmoeller said. "Let's say it takes 100 to 200 hours [to complete a SAS 70 audit]. At $100 to $200 per hour, work out the math."
Let us know what you think about the story; e-mail: Matt Stansberry, News Editor