Interesting point - Amazon AWS claims to have completed a SAS70 Type II attestation, something that's being talked about in Audit circles right now. Something I've found lacking in most audits is a truly effective and well-tested COB (Continuity of Business) plan. I don't know if that type of thing was covered or even tested, but it should have been.
At least for critical systems such as financial systems and cloud computing environments, there should be a disaster/COB plan that is annually reviewed and tested at least on a semi-annual basis. I've issued process improvement points where several data centers were totally relying on a hot-copy method of COB to a 2nd or 3rd data center but weren't performing a full-on test of their written plans. Having it designed, documented and approved is not the same as performing a test of operating effectiveness.
Incidentally, after this year, there is no more SAS70. It has been replaced with what is known as SSAE-16. The testing is essentially the same, but the reporting requirements are different this time around.