In the release, Gartner warns enterprises against application hosting, SaaS and cloud computing providers who treat SAS 70 as a form of certification that addresses privacy, continuity and security in the cloud. SAS 70 is only a generic guideline for the preparation, procedure and format of an auditing report. It always places the onus on the service recipient, or more precisely on the recipient's auditor, to ensure that all controls relevant to the recipient's requirements are examined.
Gartner recommends a mix of the following methods to supplement or serve as an alternative to SAS 70 for security in the cloud: background and reference checks; vendor self-assessment and attached evidence (evidence could include Payment Card Industry security assessments, self-testing, and records from other external audits); on-site audit by the enterprise's own internal auditors and application of direct controls on the services provider (for example, having vendor employees undertake the organization's ethics training and sign off on the code-of-conduct policy).
Enterprises can also evaluate alternative assessment standards for vendor security in the cloud, compliance and risk management, such as ISO standard certifications, BITS Shared Assessments, SysTrust and WebTrust (which are formal security certifications that are sponsored by the AICPA and carried out by CPA-qualified auditors), and AT Section 101, which is a flexible attestation procedure sponsored by AICPA that can be used by any CPA-qualified auditor. Gartner also recommends SAS 70's successor Statement on Standards for Attestation Engagements (SSAE) 16 to ensure cloud provider's claims of security in the cloud.