SAS 70 (Statement on Auditing Standards No. 70) has been around for nearly 20 years. First released in 1992, it has been the gold standard for data center users to assure that their data center is secure and operating under proper control systems. The problem with the SAS 70 standard according to the American Institute of CPAs (AICPA) is that SAS 70 was never designed to be used by service organizations that offer colocation, managed servers or cloud hosting services. It was focused on internal controls over financial reporting.
A SAS 70 audit only verifies that the controls and processes that the data center operator has in place are followed. There is no minimum bar that the data center operator has to achieve and no benchmark to hold data center operators accountable to. A data center with strong controls and processes can claim the same level of audit as a data center operator with weak controls and systems. The only way a user can tell the difference is to read through the detailed audit report.
A prevalent misunderstanding about SAS 70 is that after completing a SAS 70 audit, a data center or other service organization becomes SAS 70 Certified. No such official certification exists for SAS 70, so many service providers that have survived a SAS-70 audit have created their own logo, indicating the need for such certification by outside auditors.
SSAE 16 (Statements on Standards for Attestation Engagements No. 16) is the next generation of AICPA standards for reporting on controls at service organizations (including data centers) in the United States.
SSAE 16 goes beyond SAS 70 by requiring the auditor to obtain a written assertion from management regarding the design and operating effectiveness of the controls being reviewed. SSAE 16 also provides better alignment with the international audit standard ISAE 3402.
"Contract Guardian gives organizations confidence that their contract management information is securely stored for as long as necessary, yet quickly accessible when needed."