I’m not suggesting that managed service providers are marching in masses toward SAS 70 Type II certification. But anecdotal evidence suggests top MSPs continue to embrace the certification. True believers include Nirvanix, a cloud storage provider in San Diego.
Nirvanix this week said it had “successfully completed the Statement on Auditing Standards No. 70 (SAS 70) Type II audit.” The audit was evaluated and tested by an independent accounting and auditing firm, the company added.
As MSPmentor has reported, SAS 70 is an auditing standard for service organizations developed by the American Institute of Certified Public Accountants (AICPA). It is a widely recognized assessment of a company’s strengths of internal controls based upon identified objectives, notes Nirvanix.
The MSPAlliance, an association of managed service providers, in April 2009 announced plans to offer SAS 70 Type I and Type II audits through a partner called SAS70 Service.
Follow MSPmentor via RSS, Facebook, Identi.ca and Twitter. Subscribe to our Enewsletter, Webcasts and Resource Center.
Read More About This Topic
Share This Post
Posted In: Certification
Tags: Cloud SAS 70 Type II | MSPAlliance SAS 70 | Nirvanix | SAS 70 Type II Audit | SAS70 Service
Interact: Add a Comment | Trackback Link | Permalink
Subscribe: RSS Feed
Take a look at our 
That is sad since SAS 70 is really a measure of how you adhere to your internal processes. Not necessarily “best practice” objectives.You could build a cement canoe and if controls/processes in place pass the audit. The problem is financial services industry(banks,ect) require it since there was no independent accrediation for a 3rd party supplier. Maybe the industry will move toward Comptia’s Security Trustmark which meets the goals clients really want from a 3rd party IT supplier.
We have seen that the SAS70 Type II certification being as beneficial to marketing as it was to defining and implementing our control set. Since we do both traditional MSP services in addition to various datacenter and cloud services, the SAS70 was a right fit for us.
Having completed the certification process six months ago, we have seen our Datacenter sales almost double as we marketed to our clients and prospects that we had received the certification. Dead leads came back as we learned that the one barrier they had in selecting us as a vendor previously, was not having a SAS70 Type II certification.
The certification, beyond validating the integrity of our managed services controls, has become a key component of our sales and marketing process.
Brian Doyle
http://www.fandotech.com
Joe,
Rarely does a company complete an expensive audit or certification “just because” for gloating or marketing purposes. Truth is, if you work anywhere above the bottom of the SMB market, you are seeing the requirements for compliance and audits show up in RFP’s.
With the economy where it is, few companies are willing to sign big contracts or even enter in negotiations with vendors that do not have their stability vetted by someone else. Not that SAS 70 Type II states that, but it shows documentation and 3rd party review.
I often talk to MSPs and when I ask them about their process, strategy, etc I just hear the names of tools. How do you handle process? Oh, we have Autotask/ConnectWise. How do you assure the uptime? Oh, we use (insert tool).
Stuff like that doesn’t fly when you work with the government or Fortune 500. They ask for things like records, audited process documentation, references, etc.
As the SMB MSP’s become more savvy and start bidding on bigger projects, they will start seeing the same requirements and will start chasing these requirements much the same way we all used to chase vendor certifications back in the day.
-Vlad
CEO, Own Web Now Corp, ExchangeDefender
http://www.ownwebnow.com
Vlad, Brian, Earle: Belated thanks for sharing your personal perspectives. Seems like the MSP community — even smaller MSPs — are getting pretty sophisticated as they weigh whether or not to pursue a SAS 70 Type II audit.