SAS 70 Attestations Document Management

Ensuring that your documents are secure and accessible only to authorized parties is of paramount importance in today’s interconnected world.

When most people think of document security, they think of securing from malicious parties, such as competitors looking to gain an edge over your company. Hackers looking to disrupt your communication hierarchy or gain access to your customers’ information is also certainly one of the principal threats against security systems attempt to safeguard. And even more important to SAS 70 attestations document management is data backup and data center legitimacy.

However, attacks from hackers are not the only reason you want to have a trusted security protocol protecting your company’s documents. If an important document is accidentally  altered or deleted by one of your own employees, it can have disastrous consequences down the road. Events such as a fire or system failure that results in data loss can also be harmful to your organization.

That is why if you choose to update your document management systems, you should choose a document management provider that meets the highest standards of security, such as eFileCabinent. eFileCabinent’s data centers have achieved Level 1 PCI compliance, ISO 27001, HIPAA, and SAS 70 Type II certifications.

While all of those qualifications certainly sound impressive, many organizations lack a clear understanding of what they mean, how they pertain to document management, and what they can do for your business. We’ll focus on two of the most important, SAS 70 Type I & II, and look at what the certification can do for your organization.


SAS 70 Type I

At its core, the SAS 70 is a certification process that allows customers to evaluate a data center provider to ensure that it meets the highest standards of transparency, accountability, and, most of all, data control. SAS stands for “Statement of Auditing Standards,” and SAS 70 is a widely recognized auditing standard created by the American Institute of Certified Public Accountants (AICPA). It provides guidance to enable an independent auditor (or “service auditor) to measure the effectiveness of data centers’ internal controls for managing the design, implementation, and execution customer information. SAS attestations document management matters a lot at the type 1 level.

The SAS 70 Type I is the basic certification that can be given to a data center. To reward a data center with an SAS Type I certification, an independent service auditor performs a thorough review of how well a data center provider represents the nature and strength of its services regarding the operational controls that have been implemented to meet a set objective.

A wide variety of internal controls may be measured. These include elements of the data centers control environments, information and communication processing, risk assessment processes, and any monitoring processes that may impact the services that will be provided to a company or organization as it relates to an audit of financial statements. The independent service contractor may also measure the control objectives that a data center has laid out, as well as any related controls that may be relevant, and may even go so far as to test any complementary controls that may be required at a user’s organization.

Once the independent service auditor has assessed all of the necessary internal, a statement and opinion are given as to whether or not the systems in place at the data management center meets the standards necessary to achieve the objective of the control measures. Once an opinion and statement that declares that the data center meets those standards, the center has achieved SAS Type I certification.


SAS 70 Type II

An SAS 70 Type II certification involves all of the tests and evaluations necessary to obtain an SAS 70 Type I certification but includes an additional section that requires the independent service auditor to judge how well the data center’s controls operated over a defined review period. This review period usually lasts about six months, but often can be longer to ensure the highest standards of quality.

Once this period is over, the independent service auditor can include a description of the service auditor’s operating effectiveness, and will also include any other information provided by the service organization, such as a glossary of terms.

When you are entrusting your company’s data to a data center, it is simply irresponsible to use an organization whose facilities are not SAS 70 Type I and SAS 70 Type II certified. These certifications are the minimum certifications that a data center should have before you trust your information to it, and they should be displayed prominently within the center’s facilities. To learn more about how eFileCabinet ensures that the data you trust to its data centers stays secure, visit their website and talk to one of our representatives today.