SAS 70 Compliance

Since Netgain acts as a Business Associate under the HIPAA Act for many of our healthcare clients, we went the extra mile and became a SAS 70 Type II Certified hosting provider. The audit evaluates and tests Netgain’s internal policies and procedures including, but not limited to, data storage, building and data center access/security, change procedures of hardware and software, and customer data security. 

What is SAS 70? 

Set forth by the American Institute of Certified Public Accountants (AICPA), the Statement on Auditing Standards (SAS) No. 70 audit reports on controls at a service organization relevant to security, availability, processing integrity, confidentiality, and privacy. While the Type I report describes the service organization’s controls at a specific point in time, a Type II report describes the service organization’s controls through testing and over a period of time (usually six months).

Why is it important to find a SAS 70 Compliant provider?

When businesses, especially those in healthcare, trust their data to a service provider, they need to be absolutely confident in the security of storage, transmission, and deletion of sensitive data. The requirements of Section 404 of the Sarbanes-Oxley Act of 2002 make SAS 70 audit reports even more important to the process of reporting on the effectiveness of internal control over financial reporting.

Netgain provides customers with documentation of the SAS 70 Type II Compliancy. This not only saves valuable time and money for customers needing to meet SAS 70 compliancy standards, but also in reaching PCI Compliance Standards.

The SAS 70 audit independently verifies the validity and functionality of a Data Center's control activities and processes. These control activities and processes are important to customers within the financial, healthcare, and insurance sectors, as well as to publicly traded companies that need to validate the security of their financial and sensitive information controls. An annual audit is performed to both verify that procedures are in place and effective, and that they are maintained.