Over the last 24 hours there has been a lot of traffic on the ITSM alias about SAS70. SAS70 is an auditing standard designed to enable an independant auditor to evaluate and issue an opinion on a service organisations controls. The auditors report can then be used with the organisations customers and their respective auditors to demonstrate it has control objectives and activities in place and they are effective.

SAS 70 can also be related to Sarbanes-Oxley under certain circumstances. Under section 404 a company needs to ensure that the "managements quarterly certification of their financial results and managements annual assertion that internal controls over financial reporting are effective". However, even a full Type II SAS70 report does not mean compliance with Sarbannes-Oxley.

It appears that many of our customers have started to ask for our SAS70 report prior to doing business with us. The traffic on the alias has already suggested that this is quite a significant problem across the GEM's. So I  am currently pulling a small team together to understand how much this is causing problems for our customers and what we can do about it.