SAS 70–Is it All the Due Diligence You Need?

The answer is a resounding and definitive “No!” According to an article I found on Datamation: How Cloud Computing Security Resembles the Financial Meltdown, putting all your faith in a vendor’s claim to be SAS 70 certified is one of the riskiest move you can make on behalf of your company.

“Who’s issuing these certifications?” it asks. “And where’s the money coming from to pay the auditors checking off the list?” The answer is always: the vendors themselves. Which makes sense, right? Who else should pay a third party auditor to cross-examine a vendor’s internal processes but the vendor, as a courtesy, convenience, and assurance to its customers that they have their act together and can be trusted.

The point made in the Datamation article was that it was third party auditors who signed off all those shoddy sub-prime mortgages as AAA-rated assets, and they were paid by the schmoes needing the recommendation. Shady enough for you? It certainly doesn’t inspire the greatest confidence in organizations that likewise pay their auditors, and that’s not entirely fair.

Of course, there is always the option to hire your own auditor instead of relying on the group hired by the company you’re investigating, but not many of us can bear the expense. It ends up being an excellent PR move for vendors to stamp a “SAS 70 Certified” icon on their site with the message: “Your data is safe with us. We’ve been certified.”

Savvy consumers would request tangible proof, a report of some kind that they can hold in their hand, and requesting this report is the first step in doing your proper due diligence. As nice as it would be to take anyone’s word for it when they promise you the world, it’s a luxury that has probably never existed in any bygone era. The reality is you’ve got to do your research, and any company you do business with has to have the history and the list of satisfied clients to back them up and give a little weight to their claims.

In my personal opinion, it should be a good sign if the company you’re thinking of using as your cloud computing provider can say it’s SAS 70 certified and then prove it. Especially if it’s also gone through the trouble to become certifiably PCI Compliant. And then even more especially if it can give you a list of client referrals that can attest to their positive experience with that particular provider. Altogether it means that the company has its head on straight, is up-to-date on current industry standards, and is proactively on top of its game. It will go that extra mile to grant its customers the assurance they need to entrust their data to them, and that in itself is a valuable consideration to have when you’re comparing the top providers.

By fiberblog, on April 30, 2010 at 6:54 pm, under Uncategorized. 17 Comments
Post a comment or leave a trackback: Trackback URL.

Comments

  • Newel Linford  On April 30, 2010 at 7:38 pm
    Permalink

    Interesting site. Some useful information and lots of disinformation. Just a quick point. There is no such thing as SAS 70 certified anything. Not a SAS 70 certified company, not a SAS 70 certified service auditor. SAS 70 doesn’t certify anything. Frankly, since you have a blog about SAS 70 you should know this fact. Here is a link to help you out:

    http://www.aicpa.org/download/acctstd/QAs_Serv_Orgs_Apr_26_2010.pdf

    Here is the excerpt verbatim from the AICPA:
    Q. — Will entities now become “SSAE 16 certified”?
    A. — No! A popular misconception about SAS 70 is that a service organization becomes “certified” as SAS 70 compliant after undergoing a type 1 or type 2 service auditor’s engagement. There is no such thing as being SAS 70 certified and there will be no such thing as being SSAE 16 certified. An SSAE 16 report (as with a SAS 70 report) is primarily an auditor to auditor communication, the purpose of which is to provide user auditors with information about controls at a service organization that are relevant to the user entities’ financial statements.

  • cna training  On May 1, 2010 at 11:23 pm
    Permalink

    What a great resource!

  • SSAE 16  On May 3, 2010 at 2:07 am
    Permalink

    I agree that all cloud computing providers that a company looks into using should be SAS 70 certified. There are so many shoddy providers out there that can and will cut and run at the drop of a moments notice, you want to find a stable, respectable company.

  • pharmacy technician certification  On May 3, 2010 at 10:25 pm
    Permalink

    found your site on del.icio.us today and really liked it.. i bookmarked it and will be back to check it out some more later

  • student scholarships  On May 12, 2010 at 7:49 am
    Permalink

    Keep posting stuff like this i really like it

  • federal student loan  On May 14, 2010 at 11:39 pm
    Permalink

    What a great resource!

  • Dougles  On May 26, 2010 at 1:19 pm
    Permalink

    No estб seguro de que esto es verdad:), pero gracias a un cargo.

    Dougles

  • Katie Burrows  On May 29, 2010 at 10:34 am
    Permalink

    Super interesting writing. Honestly.

  • Lupe Cantrell  On May 29, 2010 at 11:32 pm
    Permalink

    If only more people could hear this!

  • Scott Aldrich  On May 30, 2010 at 7:29 am
    Permalink

    If only I had a buck for every time I came here.. Incredible article.

  • Dolly  On June 1, 2010 at 4:19 pm
    Permalink

    ,
    Gracias

    Dolly

  • Amy  On June 5, 2010 at 10:33 pm
    Permalink

    Keep posting stuff like this i really like it

Trackbacks

Post a Comment

Required fields are marked *

*

*