Brivo Systems, a provider in Web-hosted applications for access control and video, announced successful completion of a SAS 70 Type II information security audit. The SAS 70 Type II certification assures customers that a service provider's controls and processes provide reasonable assurances of service levels and data security.
"Statement on Auditing Standards No. 70,” commonly abbreviated as “SAS 70,” is an auditing statement issued by the American Institute of Certified Public Accountants (AICPA). It defines the processes an auditor uses to assess the internal controls of service organizations that provide data processing, storage, or application services to their customers. Brivo's SAS 70 audit was performed by the SC&H Group, LLC of Sparks, MD, a CPA and management consulting firm serving a large client base ranging from emerging businesses to the largest Fortune 500 companies.
The Sarbanes-Oxley Act has identified the Type II SAS 70 audit as the only acceptable method for a third party to assure a service organization's controls. The Type II audit is more thorough than Type I (awarded to Brivo in 2008) because it assesses whether the company's security control processes are effective during the entire calendar period for which the audit applies.
"The Type II audit was a logical and important next step after our Type I audit last year,” said Steve Van Till, President and CEO of Brivo Systems. “We continued this rigorous SAS audit process, in part, to satisfy growing demand from Fortune 500 and other publicly held companies with whom we do business.” Under most interpretations, Sarbanes-Oxley compels public companies to have IT audits for internal systems and, by extension, for any outsourced services they use for certain critical services. According to the SEC, publicly held companies can rely on an outsourced service provider's SAS 70 report to meet their own obligation to assess controls over outsourced services. Van Till continued, “Our successful completion of the SAS 70 Type II means our customers can be assured that they are in full compliance with their own audit requirements for the outsourced security services that we provide. This gives our customers peace of mind and saves them considerable time and expense.”
In addition to Sarbanes-Oxley compliance, the Health Insurance Portability and Accountability Act (HIPAA) requirements are also driving increased reliance on SAS 70 audits. “Healthcare organizations subject to HIPAA have become much more concerned with compliance by their vendors,” said Van Till, “but we have found they are generally willing to accept a SAS 70 audit statement as proof that their privacy requirements are being properly handled.”