SAS 70, the auditing standard, is finding its way onto CSOs’ desks. Used correctly, it’s a nice start on verifying business partners’ security controls. Unfortunately, some people aren’t using it correctly. The SAS 70 audit—an increasingly popular examination of internal corporate controls—is the source of confusion and debate in the information security world. There are those who swear by it. Jennifer Bayuk, managing director of IT security at Bear, Stearns & Co., calls a SAS 70 audit “probably the best you can get for a security test, especially when you compare it to something like a security penetration study.” Then there are those who swear about it. This article equips CSOs with an understanding of how to be helped, not hindered, by the rise of SAS 70.