Find Your Industry

Why is SAS 70 Relevant to SaaS in Today's Regulatory Compliance Landscape?

Many people are now asking how is SAS 70 relevant to SaaS in today's growing regulatory compliance landscape. The emergence of the software as a service industry, simply known as SaaS, has propelled statement on auditing standards no. 70 (SAS 70) into the forefront of compliance for yet another dynamic and briskly growing market segment. For many years the software industry operated in a very traditional mode which consisted of software being initially developed, purchased by a client, and "housed" in a client-server environment. Much has changed with the advent of the internet, giving rise to software applications and all supporting systems now being "housed" or "hosted" in a SaaS environment. Generally speaking, the age of the client server has greatly diminished as companies gain greater efficiencies of scale by having the application (also commonly known as the platform) "hosted" by the SaaS vendor or by an approved data center or managed service entity.

So why is SAS 70 relevant to SaaS for purposes of compliance? Because many times the software and its supporting platform is part of a service organization's core business model that has an inherent relationship to a user organization's information systems. Sound a little technical in compliance terms? Let me give you a simple example of a common scenario playing out every day in the SaaS industry, showing you why is SAS 70 relevant to SaaS.

Example of Why is SAS 70 Relevant to SaaS

• The ABC Company is a service organization that has developed a proprietary software for medical billing. The software is "hosted" internally at the corporate facilities of the ABC company in their own data center.
• The XYZ Company is the user organization. They are a large HMO, publicly traded company in the United States. The XYZ Company has contracted with the ABC Company to provide this software to their claims personnel for handling and facilitating medical claims.
• As with any publicly traded company, they must undergo a yearly financial audit, which the XYZ Company does. The XZY Company's financial statement auditors have determined that the services provided by the ABC company are an important component of the financial audit, and want to learn more about the services they are providing to the XYZ company.
• As a result, the ABC Company is asked to produce their annual SAS 70 Type II audit. Though a highly simplified example, it gives you an understanding of why is SAS 70 relevant to SaaS.

Additional Points of Why is SAS 70 Relevant to SaaS Consist of the Following:

Developing Software and Compliance go hand in hand

Now more than ever, software developers are falling under the compliance umbrella, as witnessed by increasing demands by auditors to document and prove their SDLC activities. Auditors are testing an array of internal controls in software development shopes, such as change management functions, segregation of duties, separation of development and production environment responsibilities, and many other critical areas. The SAS 70 relevant to SaaS scenario is profound because this highly visible auditing standard is what’s being used to test internal controls for these software development entities.

Data Centers, co-locations used for "hosting" the Software Platform

After the initial development of the software, many SaaS providers choose to utilize a high-quality data center, co-location or managed services entity to house the data. Their, the application and its supporting platform receives the benefits of constant uptime and connectivity, with numerous security features enabled, such as firewall and IDS/IPS security, just to name a few.

Now, let's re-visit the XYZ and ABC company scenarios for why is SAS 70 relevant to SaaS. What if the ABC company, the service organization, did not have their own internal data center, but had to outsource it to another organization? If they outsourced the hosting of the application to say, the EMC data center, then the EMC data center would fall under the compliance umbrella, requiring it to also provide its SAS 70 Type II audit.

What's important to note on why is SAS 70 relevant to SaaS is simply the large scope the auditing standard can have from a compliance standpoint. It can "touch" and affect many organizations in the SaaS industry, such as all of the following:

• The software developer that has initially developed and still maintains the application.
• The data center, co-location or managed services entity that "hosts" the application.
• Any other entity or organization that the above organizations may outsource to, as there may be implications on "sub-service organizations."