"SAS 70 Type II or equivalent" is the magic thing to ask for if you want any meaningful results!
Not an accountant, but wouldn´t you need a SAS 55 too, to be sure? Also, from what I remember, isn´t this standard geared towards nonfinancial companies rather than financial organizations? In how far does this apply to MtGox, given that they are based in Japan, given that it is a US standard? What would be the japanese equivalent to ask for?
It only applies to the extent we as his customer base demand it of him. For him to get a SAS 70 he wouldn't be doing it to comply with any law, he would be doing it to fufill our demand for an independent report detailing his controls and an opinion on their effectiveness as practiced, all signed by somebody with their credentials on the line. There might be a Japanese equivalent, but personally I'd rather read a SAS 70 from a US-based auditor, possibly because I don't speak any Japanese.
And SAS 70 already has a recipe for things to look for in an "application service provider"... for example, the scope of such an audit is already documented and known to cover procedures such as backups, who has access to modify data, who has access to modify source code, security solutions being used, etc.
I have been mentioning SAS 70 to Mark as of several months ago. No interest was displayed. Besides asking in numbers, the best way to persuade him to do it, in my opinion, is to go get TradeHill and Camp BX to get one done, so he'll be left out.