Your hosting company will need to provide either a SAS70 or Systrust certification. If they don’t have one, discuss the situation with your auditors. The auditors advice may be non-specific, but essentially tell you that your hosting environment is under scrutiny for lack of controls. You, as the owner of the data, will need to show how you control your data, and that necessary mitigating controls are in place to handle the lack of procedures at your hosting center. It’s a bit of extra work to do so, but the cost/benefit is basically around:
cost of datacenter with SAS70/Systrust vs. cost of you writing the docs and staying where you are at. An oversimplification is to choose whichever is cheaper and less disruptive to your business.