How Many MSPs Need SAS Type II Certification?
Larger managed service providers and hosting providers continue to bang the drum for SAS 70 Type II, a standard for auditing service organizations. But I wonder: How many MSPs want — and need — to jump on the SAS 70 bandwagon? Here are some thoughts.
A few days ago, Pilgrim Software Inc. of Tampa, Fla., became the latest managed hosting service provider to achieve SAS 70 Type II certification. And on May 1, SAS 70 will be a key session topic at MSPWorld, a conference hosted by the MSPAlliance in Orlando. Dan Holt, CEO of HEIT, an MSPmentor 100 company, is scheduled to host a session titled “Is SAS 70 Right for Your MSP?”
For HEIT — which serves a range of financial services customers — SAS 70 makes perfect sense. HEIT’s web site notes:
“To show our clients that HEIT’s internal controls are sound and effective, an American Institute of Certified Public Accountants (AICPA) firm completed a Statement on Auditing Standards No. 70 (SAS 70) Type II review in addition to the FFIEC Information Security Audit.”
The Big Picture On Small MSPs
But should smaller MSPs — which don’t necessarily have data centers or internal NOCs — care about SAS 70? In many ways, yes. I think the standard remains an important consideration for MSPs that are seeking to partner with external hosting partners and NOC operators.
Indeed, MSPs need to make sure their hosting and NOC partners have rock-solid controls in place. Demanding SAS 70 Type II certification is one way to gain peace of mind — or at least one way to help mitigate business risk to you and your customers.
Want more information? A range of CPAs and consultants can perform SAS 70 audits for MSPs. Simply Google “SAS 70 Auditors” to get a feel for some options and frequently asked questions. Or, check in with industry associations. The MSPAlliance, for one, has indicated that it will launch some sort of SAS 70 program for its association members during the MSPWorld conference.