Statement on Auditing Standards No. 70: Service Organizations
The SAS70 statement provides an auditor’s statement on the effectiveness of the internal controls of a service organization. It is gradually being replaced by ISAE3402 as of June 2011.
SAS70 leaves much room to transparency over implemented controls. The fact an organisation acquired a SAS70 attestation tells nothing about how that service organisation addressed risks. Cloud providers that have had a SAS70-audit should provide transparency over the controls and how those controls are implemented.
A copy of the SAS70 audit guide can be bought on the AICPA store website.