Editor’s note: Gary McAuliffe is the vice president of business development for Hosted Solutions.

RALEIGH, N.C. – Hosted Solutions is a Raleigh based company that manages three data centers in North Carolina. Over this summer, we celebrated our fifth anniversary, topped 65 employees and saw nearly 100 percent year-over-year growth. The pace of our growth has required significant staffing increases, as well as an intense internal focus on process and procedure. At the same time, the business world has changed dramatically over the five years we have been in existence.

The corporate scandals at Enron, Tyco and Worldcom, have dictated that corporate compliance become a huge priority at companies of all sizes and from all industries.

Last month, Hosted Solutions announced completion of a SAS 70 Type II audit. Statement on Auditing Standards (SAS) No. 70, Service Organizations, is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA). A SAS 70 audit represents that a service organization has been through an in-depth audit of their control activities, which includes controls over information technology and related processes.

The SAS 70 was originally created in 1998, but received renewed interest on the heels of the Sarbanes-Oxley Act of 2002. Sarbanes-Oxley, a massive change in federal securities law, was created in direct response to the corporate scandals associated with Enron, Worldcom and Tyco. The result was a federal mandate to improve financial controls within publicly traded organizations. As companies began to comply with Sarbanes-Oxley, it was important that their vendors (particularly Information Technology service organizations), maintain similar standards in their controls and processes. Thus the SAS 70 became the standard for auditing IT service providers.

Unfortunately, corporate compliance can get complicated. While Sarbanes-Oxley addressed compliance and security for publicly traded companies, the Healthcare Information Portability Act (HIPA) of 1996 addresses similar concerns for companies maintaining individual healthcare records and the Graham-Leach Biley act (GLBA) of 1999, represents control activities in the financial services realm.

Each of these federal mandates, address different components of their associated industries and in turn have different impacts to the IT departments. A provider to organizations in all of these industries, like Hosted Solutions, could literally spend all of their time and resources developing standards to meet the needs of each of these mandates.

The last few years, Hosted Solutions has spent hundreds of man-hours participating in independent audits by our customers concerned about their own compliance initiatives. While we were glad to participate, we felt it was important for us to achieve an external validation of our controls to provide our customers with a baseline understanding of our compliance measures. We felt the SAS 70 was the best vehicle to achieve that baseline.

Why We Chose The SAS 70 As Our Baseline

From our perspective, the SAS 70 gave the most holistic view of compliance. Over our five year history, our internal controls had developed from our early days of simple written and verbal processes, to more complex procedures that were accompanied by stringent internal auditing. Though we were comfortable with how our internal controls addressed our business requirements, we felt that it was important to seek an external confirmation of those standards.

We chose to conduct a SAS 70 audit, because we felt it had the greatest acceptance within our customer base and could give us the broadest approach to our compliance initiatives. At it is core, the SAS 70 examines the control metrics that are deemed critical to an organization and insures that those standards are being met. It is conducted in two parts, Type I and Type II.

The controls designated in a SAS 70 audit, reflect the most relevant and important metrics for a particular business. For us, it included items like physical and electronic security, change management, employee and HR processes and financial health metrics.

A SAS 70 Type I report describes the service organization’s description of controls at a specific point in time. A Type II report not only includes the service organization’s description of controls, but also includes detailed testing of the service organization’s controls over a minimum six month period. In a Type I report, the service auditor will express an opinion on whether the service organization’s description of its controls presents fairly, in all material respects, the relevant aspects of the service organization’s controls that had been placed in operation as of a specific date, and whether the controls were suitably designed to achieve specified control objectives.

In a Type II report, the service auditor will express an opinion on the same items noted above in a Type I report, and whether the controls that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives were achieved during the period specified.

In the last five years, IT departments have seen dramatic increases in regulations associated with corporate compliance in their industries. Companies large and small have stepped up their approach to compliance, and their requirements of the vendors that serve them.

As a provider of IT services to Fortune 500 companies, banks/insurance companies, and hospitals/health insurance providers, service providers like Hosted Solutions must establish and test control activities that not only meet the needs of their business, but broadly address the needs of all businesses they serve.

We felt that the SAS 70 gave us the most comprehensive external validation of our controls and compliance, while still allowing us the ability to address needs in a variety of industries.

For more information on our SAS 70, feel free to reach out to me at gmcauliffe@hostedsolutions.com

Hosted Solutions: www.hostedsolutions.com