Over the last several years, industry regulatory developments have started to focus the spotlight on corporate accountability. Many corporations are now closely reviewing and seeking to validate the controls over every item that can affect their financial statements, including the controls in place at outsource service providers (OSP.) As a result, companies looking to outsource their IT infrastructure must consider whether to have the company’s auditor conduct a separate audit of the potential provider, or to select a provider that has already completed a recognized audit and validation process.

The necessary review of a provider is a long and arduous task, not to mention very costly. A number of regulatory provisions, such as Sarbanes-Oxley and Gramm-Leach-Bliley (GBLA), require that company management take responsibility the company’s financial reporting, as well as the external controls. Therefore, it is of the utmost importance that the company has a high degree of confidence in their provider’s internal controls. However, many companies find that attaining this high degree of confidence can be a time-consuming, expensive, and risky undertaking.

Fortunately, there is compliance called Statement on Auditing Standards No. 70 ("SAS 70"), an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA). This compliance reports on the controls and internal processes provided by service organizations. This standard is extremely valuable in ensuring proper controls with respect to governance issues, and must factor into the selection of any provider for Managed Services. A SAS 70 review can validate the accuracy and integrity of a managed services provider’s operations to satisfy today’s rigorous reporting requirements, helping a corporation minimize the costs and risks of its own separate review. If the service provider has not gone through a SAS 70 examination, the company faces increased costs and potential risks in using that provider. Increased costs include the added expense of paying the company’s auditors to examine the service organization’s controls, as well as the possibility of weak internal controls, potentially leading to service failures.

SAS 70 certification is a very important standard for hosting providers with respect to it’s compliance activities. Hosted Solutions has received an qualified, Type II SAS 70 certification, demonstrating our commitment to meeting our partner’s needs. To Hosted Solutions ultimately, a SAS 70 examination reflects a global and integrated service solution. It ultimately proves our true commitment and ability to take to meet these high standards, and to exceed your proactive control over our processes. The certification differentiates a service provider from its peers by demonstrating the establishment of effectively designed control objectives and control activities. This creates a strong sense of trust and offers peace of mind to our clients. We believe that our Type II SAS70 certification stands out among other managed service providers, and reflects our leadership, commitment, and excellence. This certification confirms that Hosted Solutions has internal controls that are suitably designed and operating effectively to administer your mission critical applications.

SAS 70 Reporting

The SAS 70 standard involves an external, independent auditor’s evaluation of a service organization’s controls and the execution of those controls. The examination covers critical benchmarks, including the completeness, accuracy, and stability of services rendered in all material respects; the aspects of provider’s controls that may be relevant to a user organization’s internal control as it relates to an audit of financial statements; the controls included in the description were suitably designed to achieve the control objectives specified in the description, and if those controls were complied with satisfactorily and user organizations applied the controls contemplated in the design of the provider’s controls. There are two types of SAS No.70 reports. A Type I report includes the service organization’s description of its controls at a specific point in time (e.g., May 1, 2007). A Type II report includes the service organization’s description of its controls, but goes further to add rigorous testing of the service organization’s controls over a minimum six-month period (e.g., December 1, 2006 to May 1, 2007). A key factor in service provider selection, the SAS 70 standard provides critical guidance in the selection of a managed service provider. SAS 70 certification is a widely recognized indication that the organization has been through an in-depth, independent audit of its control activities.