Frequently Asked Questions:

SaaS and SAS 70 | Software as a Service and Auditing Standards No. 70

SAS 70 audits are being performed on Software as a Service (SaaS) entities at a feverish pace, and for a number of reasons. The growing surge of regulatory compliance legislation, such as Sarbanes Oxley, HIPAA, Gramm Leach Bliley, just to name a few, are without question creating the biggest compliance demands on SaaS service providers.

But wrapped into these compliance demands is the natural evolution of SaaS entities that have further pushed the SAS 70 requirements on them. Specifically, the development and hosting of software applications, a primary function of the SaaS industry, has grown tremendously in the past 3 to 5 years as businesses move away from the traditional client server mentality. As such, a due diligence audit was greatly needed for ensuring these very SaaS providers have a strong system of internal controls for safeguarding sensitive data along with validation that their core daily operational activities are carried out in safe and secure manner. Thus, the emergence of the SaaS industry coincided with the advent of Sarbanes-Oxley (SOX) and the great push for regulatory compliance mandates. Ultimately, SAS 70 audits quickly became the de facto auditing standard for evaluating SaaS industries and the relationship has become even stronger over the years and will continue to do so as the years pass.

Attention SaaS service providers. SAS 70 audits, if not already, will soon become an annual part of your growing regulatory compliance mandates for years to come. The SAS 70 auditing standard is a flexible and scalable standard that readily adapts to the demanding needs of any industry, particularly the SaaS industry.

To learn more about SAS 70 audits, visit the official SAS 70 resource guide, where you can learn about what SAS 70 really is along with receiving SAS 70 sample reports.