During a SAS70 audit, an auditor may examine any relationships with third parties. Any third party agreements or service level agreements should contain:
1. procedures to protect all outsourced data, applications or hardware
2. a description of the services provided and the target level of services
3. the establishment of an escalation process should an incident occur
4. the right to audit and determine that they are adhering to your agreement
5. the respective liabilities of both parties should an incident occur.
During a SAS70 audit, you have a choice to exclude your outsourced services or include them in the examination. I would recommend you include them, especially if they are essential to the services you are providing to your customers. SAS70ExPERT@gmail.com