I remember evaluating a secured data center (complete with then current SAS 70 I and II audits), finding an open door, walking past all of the main power controls and continuing to walk through one-way (push to open) doors to the front office where a security guard sat (ostensibly) reviewing monitors. He said nothing as I signed-in as Mickey Mouse and flashed my driver's license with a thumb over the picture. There were other flaws that eliminated this installation from being chosen as a co-lo for our financial data. Bottom line -- audits are only snap-shots in time, prepared by well-paid auditors who tend to pre-flag problem areas for management correction before writing a final report -- investigate before you invest (hat tip to the Better Business Bureau).