Great points – though I would embellish the first two bullets a bit to avoid being tricked by their IT Staff through “shock and awe”.
- SAS 70 are based on management determined controls, so to depend on them YOU must verify the controls being audited (i.e., don’t accept the Executive Cover Letter, but require review of the actual control tests). Second to make a SAS 70 Type II useful – verify the scope of the audit includes your concerns. (this leads me to bullet #2).

- Audit results are great – beware of SCOPE. Most organizations will try to secure data carefully, but when 3rd party validations occur they are restricted to specific types of control checks that are designed to prevent specific types of risks. Unless your data falls under those “specifics” you need to look beyond the standards advertised.

Other thoughts?

James DeLuccia IV