SAS-70

• Download the LiveVault – Data Mountain SAS-70 and Online Backup Recovery Services Guidlines (PDF)

SAS-70 refers to the Statement on Auditing Standards (SAS) No. 70, Service Organizations, an auditing standard developed by the American Institute of Certified Public Accountants (AICPA), a private organization, not a government body. A SAS 70 audit represents that a service organization has been through an in-depth audit of its financial and operational control activities by an independent accounting and auditing firm, which generally includes controls over information technology and related processes.

SAS 70 and Online Backup and
Recovery Services
LiveVault Corporation
April 2005

What Is SAS 70?
Statement on Auditing Standards (SAS) No. 70, Service Organizations, is an auditing standard
developed by the American Institute of Certified Public Accountants (AICPA), a private
organization, not a government body. A SAS 70 audit represents that a service organization
has been through an in-depth audit of its financial and operational control activities by an
independent accounting and auditing firm, which generally includes controls over information
technology and related processes.

There are two types of SAS 70 Reports: Type I and Type II. A Type I report describes the service
organization’s description of controls at a specific point in time (e.g. June 30, 2003). A Type II
report also includes detailed testing of the service organization’s controls over a minimum sixmonth
period (e.g. January 1, 2003 to June 30, 2003).

SAS 70 is not a pre-determined set of control objectives or control activities that
service organizations must achieve. A SAS 70 audit is not a “checklist” audit. The
organization being examined determines the nature and extent of the controls, not the auditor.

SAS 70 is generally applicable when an auditor is auditing the financial statements of an
organization that obtains services from a service organization. Service organizations could be
application service providers, bank trust departments, claims processing centers, Internet data
centers, or other data processing service bureaus.

Why SAS 70 Is NOT Relevant To Prospects Considering the LiveVault Service
No Government Regulation Requires An Outsourcer To Have A SAS 70 Audit. A private group
created SAS 70. In particular the Sarbanes-Oxley Act does not mandate SAS 70.

A SAS 70 Audit Is Not Highly Relevant To A Provider Of Data Backup Services Such As LiveVault.
SAS 70 audits are most relevant to outsourcing organizations that perform transaction processing
or other forms of data manipulation on their customer’s data. LiveVault does not perform any
processing on the data.

LiveVault Can Address Any Questions A Customer’s Auditor May Have. If a customer’s auditor
feels the need to examine LiveVault’s internal controls with respect to backup of financial data,

LiveVault can address any questions that the auditor may have. LiveVault’s technology and
controls are extensive, exceeding best industry practices. All customer data is encrypted before it is
transmitted, and remains encrypted while stored by LiveVault. Only the customer has the
password.

SAS 70 Does Not Provide Assurance That Necessary Safe Guards Are In Place. Because SAS 70 is
not a pre-determined set of control objectives or control activities, an organization defines the
controls that it thinks are appropriate for itself. A SAS 70 report does not provide assurance
that all desirable controls are in place. For example, there is no assessment of vulnerabilities
that might exist that are not covered by existing controls.

SAS 70 Is Not A Technology Audit. Because a SAS 70 audit can only be performed by CPA firms,
in-depth technology reviews may be lacking. Potential opportunities for technologically
sophisticated attacks will not be identified.

Why Are You, the Customer, Interested In SAS 70?
Customers tend to ask about SAS 70 for one of two reasons:
1. Some publicly traded companies want to use SAS 70 to help them with Sarbanes-Oxley.
2. Some customers have spoken with another online backup service provider who told them
they should be asking LiveVault for proof of a SAS 70 audit.

If your interest in SAS 70 is motivated by Sarbanes-Oxley (SOX) legislation:
The LiveVault Service is compliant with SOX requirements. The use of the LiveVault Service is
beneficial to any company when establishing their overall compliance with SOX:

• Remember that Sarbanes-Oxley Does Not Require SAS 70. (Sometimes SAS 70 is pressed into service for SOX because SOX does not create a certification mechanism.)
• LiveVault encrypts and redundantly stores all data. Because all data is encrypted before it leaves your servers, access to data through the backup process is impossible. LiveVault InSync preserves the completeness and accuracy of backup data thus subsequent processing following restoration can be relied upon. LiveVault keeps separate, redundant copies of all data off site from your facilities. LiveVault keeps redundant copies of both current data and all historical archived copies.
• LiveVault Offers Guaranteed Recoverability. This is provided in the form of a limited warranty.
• If you need further documentation in lieu of a Service Auditor’s Report, LiveVault recognizes your responsibility to Sarbanes-Oxley and can provide a letter from LiveVault management summarizing the controls for the LiveVault Service.

If your interest in SAS 70 is motivated by another online backup provider’s
statements:

• Remember that any assertion that SAS 70 is needed is misguided. There is no regulation that requires SAS 70.
• LiveVault uses state-of-the art technology to protect the privacy and integrity of all data under its protection. LiveVault and its agents cannot see your data in clear text under any circumstances. Only you have the password. Also, LiveVault uses integrity checks on all data to insure that no data is altered, either accidentally or maliciously.
• LiveVault stands behind its claims with a 100% guarantee. This is only possible because LiveVault has the technology and the professional staff to monitor your backup processes 7×24 to insure that you are getting the protection that you expect.