cant say i have gone through a sas 70 attestation, however, i have reviewed them.

sounds like you are a 3rd party service provider, so you probably house some company's financial application(s) or are a datacenter or something along those lines.

a sas 70 is basically an audit, but not as tough (best way i could put it). auditors will come in, evaluate your controls around security, software development, etc. and then make a decision on how well your evironment is controlled. this info is then relayed onto whoever you provide data services for.

here is a scenario of how a normal audit and sas 70 attestation could go:

normal audit - the company does not review users with access to their in-scope applications/systems, deficiency noted, that deficiency then needs to be remediated

sas 70 - no review of users with access to in-scope apps, that is noted on the report, but, its up to the company if they want to remediate it. its my guess the company you provide service for will want you to remediate it , so they can put greater reliance on your report.

hope that helps, let me know if you have any other questions.