Frequently Asked Questions:

Learn About SAS 70 and SaaS

How is SAS 70 relevant to SaaS you might ask? Well, before I ask the question to you, let me tell you that this question itself has been posed to me many, many times over the past 6 months from clients in the Software as a Service (SaaS) industry. So what's the how and why of SAS 70 relevant to SaaS?

It's a number of reasons why, so let's begin at the top and work our way down.

The evolution of the Software Industry-When you think of SaaS, core components of this industry are the development, maintenance, change management activities, along with other functions directly associated to any SaaS vendor. Furthermore, many SaaS vendors provide critical outsourcing services to many large companies in the U.S. As such, many of the large, U.S. companies are publicly traded and must adhere to Sarbanes Oxley standards. Furthermore, section 404 requires management to establish effective internal controls. Well, establishing "effective internal controls" also means examining the internal controls of the organization's third party outsourcing entities, many of which just happen to be SaaS industry vendors. So what's the default audit for conducting an assessment on an outsourcing providers' internal controls? That's right-SAS 70 Type II Audits.

SaaS and Regulatory Compliance clash, rather, Join at the hip- As with any type of business today that is driven by technology and security, and the SaaS industry falls into this silo, regulatory compliance laws have had a profound affect. As a result, the SaaS industry has had to deal with HIPAA compliance, GLBA security issues, along with Sarbanes Oxley and other legislative compliance rulings. And many times, what is the default audit for ensuring these regulatory compliance mandates are being met? SAS 70.

If you are interested in reading more, SAS 70 sample reports are available to anyone, free of charge.