Offsite security conditions are always a factor to consider when a company enters an outsourcing deal, but regulatory initiatives are raising the stakes.

IT executives need to ensure service providers have proper system controls in place before and after they enter into sourcing and hosting arrangements, analysts say. It's not only a good business practice, it's also increasingly required by law.

One law putting a spotlight on outsourcing deals is the Sarbanes-Oxley (SOX) Act of 2002, which Congress passed in the wake of accounting scandals at firms such as Enron and WorldCom.

SOX has IT and finance departments working closely to review and modernize companies' financial reporting systems to comply with its regulations. Of particular concern is Section 404 of the legislation, which calls for company executives and third-party auditors to certify the effectiveness of internal controls - technologies and processes put in place to preserve the integrity of financial reports.

Doing due diligence to Section 404 means looking into conditions at outsourcing and hosting providers' sites, where sensitive corporate data might be accessible, processed or stored. That's where Statement on Auditing Standards (SAS) 70 comes in.

SAS 70 is an auditing standard developed by the American Institute of Certified Public Accountants for service organizations. It prescribes a method for an auditor to examine control activities at a service organization or outsourcing firm.

There are two types of SAS 70 audits. A Type 1 audit focuses on general controls at a single point in time and doesn't include testing by auditors. A Type 2 audit is more intensive - and more appropriate for SOX compliance. It looks at conditions over a prolonged period of time, and auditors perform testing to verify the effectiveness of controls at service organizations.

SOX compliance efforts have elevated interest in the auditing standard, which has been around since 1992. "We are doing a lot more SAS 70s lately," says Ed Byers, a principal at Deloitte & Touche.

Outsourcers agree that users are beginning to ask for SAS 70 audits. "It was something our customers were looking for," says John Engates, CTO at Rackspace Managed Hosting.

Ernst & Young recently concluded an SAS 70 Type 2 audit for the San Antonio managed hosting provider. The audit covered controls related to service delivery and operations, infrastructure maintenance, change management, back-up processes, and logical and physical data center access, Engates says.

Rackspace underwent the audit at the request of some of its largest customers, which are facing SOX Section 404 deadlines, Engates says. Section 404 says companies must prepare reports - to accompany their annual reports filed with the Securities and Exchange Commission - assessing the effectiveness of their internal control structures and financial reporting procedures. Section 404 deadlines are staggered and begin this spring.

"They really need some assurance that the controls that are in place outside of the walls of their companies are as effective as the controls inside their companies," he says.

At the same time, Rackspace benefits from having gone through a formal process to analyze and document its internal controls. "It put a spotlight on our documentation and the formalization of our policies and processes," Engates says.

Securing SAS 70 certification requires a commitment - of personnel and budgets - on the outsourcing providers' part. At Rackspace, the certification process took almost one year, from the early stages of defining the scope of the audit to the full-blown testing of controls.