{"id":1284,"date":"2009-03-10T00:00:00","date_gmt":"2009-03-10T00:00:00","guid":{"rendered":"http:\/\/otava.test\/what-is-a-sas-70-audit\/"},"modified":"2009-03-10T00:00:00","modified_gmt":"2009-03-10T00:00:00","slug":"what-is-a-sas-70-audit","status":"publish","type":"post","link":"https:\/\/www.otava.com\/blog\/what-is-a-sas-70-audit\/","title":{"rendered":"What is a SAS 70 Audit?"},"content":{"rendered":"<div style=\"width: 550px; background-color: #1f89c5; color: white; padding: 10px; margin: 20px 0;\">\n<p style=\"color: white; text-align: left; padding: 10px;\"><strong style=\"color: white;\">Update:<\/strong> SAS 70 reports only on controls related to financial reporting. If you need assurance of controls directly related to data centers, including privacy, security and availability, look for a <a style=\"color: white; text-decoration: underline;\" href=\"https:\/\/www.onlinetech.com\/soc-2-hosting-soc-3-hosting\">SOC 2 report<\/a>.<br \/>\nSAS 70 was replaced by SSAE 16 in June 2011.<\/p>\n<\/div>\n<p>SAS-70 stands for the \u201cState on Auditing Standards No. 70\u201d. They were created to to identify organizations willing to hold themselves to a proven and higher standard of commitment. It\u2019s essentially an audit of \u201ccontrols\u201d that you claim to have regarding physical and logical protection of your data center.<\/p>\n<p>What is a \u201ccontrol\u201d? It\u2019s a process, policy or tool (hardware or software) you have in place designed to enforce a specific claim. For example, at Online Tech we have controls in place to make sure that only appropriate people have physical access to our data centers. <a title=\"SAS 70 audits for Dedicated Servers, Data Centers\" href=\"https:\/\/otavawebsite.wpengine.com\/compliance-security\/soc-1-2-3-compliant-cloud\/\">Our SAS-70 audit<\/a> then was conducted by having a 3<sup>rd<\/sup> party CPA visit Online Tech and confirm that the controls we claim to have are really in place.<\/p>\n<p>There are two types of audits: Type 1 and Type 2. A type 1 audit is done for a specific point in time. The auditor will visit and confirm your controls were in place on a specific date when they visited. A type 2 audit is for a period of time, for example, a 6 month period. During that period of time the auditing firm will regularly visit and assure that during that period the controls were firmly in place as claimed.<\/p>\n<p>Most organizations first get a type 1 then proceed, over-time to complete the type 2 audit. Once the type 2 audit is complete it is generally good for at least 6 months then the audit is done again to ensure compliance for the next year.<\/p>\n<p>A SAS-70 audit is done by a CPA firm and a data security expert with experience in data center and network security. First the organization prepares a list of claimed controls. The auditors then visit, interview employees, review systems, procedures and documents to confirm that the claimed controls are in fact in place. Any controls that are not perfectly in place will get an \u201cexception\u201d notice. Ideally your SAS-70 report should have \u201cno relevant exception\u201d rating for every control.<\/p>\n<p>As well the SAS-70 audit report will contain a \u201cstatement of controls\u201d from the auditor. This statement gives an opinion as to whether or not these controls, taken together, are sufficient and consistent with typical practices for the type of services and work being performed.<\/p>\n<p>The end result is that a data center with a SAS-70 audit is more likely to be secure and reliable.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Update: SAS 70 reports only on controls related to financial reporting. If you need assurance of controls directly related to data centers, including privacy, security and availability, look for a SOC 2 report. SAS 70 was replaced by SSAE 16 in June 2011. SAS-70 stands for the \u201cState on Auditing Standards No. 70\u201d. They were created to to identify organizations willing to hold themselves to a proven and higher standard of commitment. It\u2019s essentially an audit of \u201ccontrols\u201d that you claim to have regarding physical and logical protection of your data center. What is a \u201ccontrol\u201d? It\u2019s a process, policy or tool (hardware or software) you have in place designed to enforce a specific claim. For example, at Online Tech we have controls in place to make sure that only appropriate people have physical access to our data centers. Our SAS-70 audit then was conducted by having a 3rd party CPA visit Online Tech and confirm that the controls we claim to have are really in place. There are two types of audits: Type 1 and Type 2. A type 1 audit is done for a specific point in time. The auditor will visit and confirm your controls were in&#8230;<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[],"other_category":[],"class_list":["post-1284","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.2 (Yoast SEO v27.2) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>What is a SAS 70 Audit? | OTAVA<\/title>\n<meta name=\"description\" content=\"A SAS-70 audit refers to the \u201cState on Auditing Standards No. 70\u201d, which identifies those who meet a higher standard of data center protection.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.otava.com\/blog\/what-is-a-sas-70-audit\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"What is a SAS 70 Audit?\" \/>\n<meta property=\"og:description\" content=\"A SAS-70 audit refers to the \u201cState on Auditing Standards No. 70\u201d, which identifies those who meet a higher standard of data center protection.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.otava.com\/blog\/what-is-a-sas-70-audit\/\" \/>\n<meta property=\"og:site_name\" content=\"OTAVA\" \/>\n<meta property=\"article:published_time\" content=\"2009-03-10T00:00:00+00:00\" \/>\n<meta name=\"author\" content=\"Irma Brillantes\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Irma Brillantes\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.otava.com\/blog\/what-is-a-sas-70-audit\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.otava.com\/blog\/what-is-a-sas-70-audit\/\"},\"author\":{\"name\":\"Irma Brillantes\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263\"},\"headline\":\"What is a SAS 70 Audit?\",\"datePublished\":\"2009-03-10T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.otava.com\/blog\/what-is-a-sas-70-audit\/\"},\"wordCount\":430,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.otava.com\/#organization\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.otava.com\/blog\/what-is-a-sas-70-audit\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.otava.com\/blog\/what-is-a-sas-70-audit\/\",\"url\":\"https:\/\/www.otava.com\/blog\/what-is-a-sas-70-audit\/\",\"name\":\"What is a SAS 70 Audit? | OTAVA\",\"isPartOf\":{\"@id\":\"https:\/\/www.otava.com\/#website\"},\"datePublished\":\"2009-03-10T00:00:00+00:00\",\"description\":\"A SAS-70 audit refers to the \u201cState on Auditing Standards No. 70\u201d, which identifies those who meet a higher standard of data center protection.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.otava.com\/blog\/what-is-a-sas-70-audit\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.otava.com\/blog\/what-is-a-sas-70-audit\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.otava.com\/blog\/what-is-a-sas-70-audit\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.otava.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"What is a SAS 70 Audit?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.otava.com\/#website\",\"url\":\"https:\/\/www.otava.com\/\",\"name\":\"OTAVA\u00ae\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.otava.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.otava.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.otava.com\/#organization\",\"name\":\"OTAVA\u00ae\",\"url\":\"https:\/\/www.otava.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg\",\"contentUrl\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg\",\"caption\":\"OTAVA\u00ae\"},\"image\":{\"@id\":\"https:\/\/www.otava.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263\",\"name\":\"Irma Brillantes\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"caption\":\"Irma Brillantes\"},\"url\":\"https:\/\/www.otava.com\/blog\/author\/ibrillantesotava-com\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"What is a SAS 70 Audit? | OTAVA","description":"A SAS-70 audit refers to the \u201cState on Auditing Standards No. 70\u201d, which identifies those who meet a higher standard of data center protection.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.otava.com\/blog\/what-is-a-sas-70-audit\/","og_locale":"en_US","og_type":"article","og_title":"What is a SAS 70 Audit?","og_description":"A SAS-70 audit refers to the \u201cState on Auditing Standards No. 70\u201d, which identifies those who meet a higher standard of data center protection.","og_url":"https:\/\/www.otava.com\/blog\/what-is-a-sas-70-audit\/","og_site_name":"OTAVA","article_published_time":"2009-03-10T00:00:00+00:00","author":"Irma Brillantes","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Irma Brillantes","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.otava.com\/blog\/what-is-a-sas-70-audit\/#article","isPartOf":{"@id":"https:\/\/www.otava.com\/blog\/what-is-a-sas-70-audit\/"},"author":{"name":"Irma Brillantes","@id":"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263"},"headline":"What is a SAS 70 Audit?","datePublished":"2009-03-10T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.otava.com\/blog\/what-is-a-sas-70-audit\/"},"wordCount":430,"commentCount":0,"publisher":{"@id":"https:\/\/www.otava.com\/#organization"},"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.otava.com\/blog\/what-is-a-sas-70-audit\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.otava.com\/blog\/what-is-a-sas-70-audit\/","url":"https:\/\/www.otava.com\/blog\/what-is-a-sas-70-audit\/","name":"What is a SAS 70 Audit? | OTAVA","isPartOf":{"@id":"https:\/\/www.otava.com\/#website"},"datePublished":"2009-03-10T00:00:00+00:00","description":"A SAS-70 audit refers to the \u201cState on Auditing Standards No. 70\u201d, which identifies those who meet a higher standard of data center protection.","breadcrumb":{"@id":"https:\/\/www.otava.com\/blog\/what-is-a-sas-70-audit\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.otava.com\/blog\/what-is-a-sas-70-audit\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.otava.com\/blog\/what-is-a-sas-70-audit\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.otava.com\/"},{"@type":"ListItem","position":2,"name":"What is a SAS 70 Audit?"}]},{"@type":"WebSite","@id":"https:\/\/www.otava.com\/#website","url":"https:\/\/www.otava.com\/","name":"OTAVA\u00ae","description":"","publisher":{"@id":"https:\/\/www.otava.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.otava.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.otava.com\/#organization","name":"OTAVA\u00ae","url":"https:\/\/www.otava.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.otava.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg","contentUrl":"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg","caption":"OTAVA\u00ae"},"image":{"@id":"https:\/\/www.otava.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263","name":"Irma Brillantes","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","caption":"Irma Brillantes"},"url":"https:\/\/www.otava.com\/blog\/author\/ibrillantesotava-com\/"}]}},"_links":{"self":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts\/1284","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/comments?post=1284"}],"version-history":[{"count":0,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts\/1284\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/media?parent=1284"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/categories?post=1284"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/tags?post=1284"},{"taxonomy":"other_category","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/other_category?post=1284"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}