Understanding the Many Benefits of a SAS 70
[ PDF ]
by Philip M. Cronin, CISSP, and Bruce Eissner

In this paper, we describe how a SAS 70 may be a requirement for serving many customers; but ultimately, the SAS 70 can benefit the service provider too.

In formal terms, a SAS 70 is an auditing statement that a "service organization" can provide to its customers. The SAS 70 attests to the internal controls of the service organization. If a company either provides or plans to provide services that are listed in the box below, a SAS 70 may be required by the customer.

Required by law. The Sarbanes-Oxley financial reporting act, the Gramm-Leach-Bliley privacy act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA) and California’s SB1386 notification act all require that sensitive data is assured of protection. And for good reason; the headlines have been everywhere -- MasterCard, ChoicePoint, LexusNexus, and on and on. Simply put, companies that handle sensitive data are required to protect that data. Companies that provide outsource services or hosting /ASP services now need to provide substantial assurances to their customers. Those customers have the choice of auditing the service organization or of accepting a SAS 70 from the service organization. The first option - auditing the service organization can be costly and inefficient for both organizations. The second option - accepting a SAS 70 - will be effective only if the service organization provides a substantial and current SAS 70.

What the customers expect: The Federal Reserve Bank of New York uses "a SAS 70 report as a starting point for assessing assurances and controls at external service suppliers" according to Sean Mahon, vice president. The bank recently decided not to use the services of a salary benchmarking consultancy because it lacked a SAS 70 report and the bank required independent evidence of the consultancy's security processes to protect sensitive employee data.¹

Northern Trust Company of Chicago has beefed up its effort to scrutinize current and potential outsourcing partners because regulators have made it clear that "outsourcing relationships are subject to the same risk management practices" as those used in-house, Hurst said at a recent forum. First Horizon Bank also spends "considerable time" performing internal audits and using the SAS 70 certification standard to ensure that the IT operations of its outsourcers are compliant with privacy laws, said Patrick Ruckh, First Horizon's chief technology officer.²

What the service organizations are saying: "Our SAS 70 certification is the next level of (service) delivery and illustrates our commitment to the specific needs of enterprise customers." … Our "customers can be confident that our … services are consistent, safe and reliable and that they are compliant with emerging regulatory mandates."

Our "customers can trust that our … services are secure and effective and we are extremely proud to have ongoing third-party endorsements of (our) network and facility controls," We "will continue to pursue annual SAS 70 examinations to ensure we are offering our customers … services that meet their security needs and allow the exchange of critical data with the utmost confidence."³

A SAS 70 can keep, attract, and build business. Beyond the examples cited above, a SAS 70 can be an effective means for attracting new customers and strengthening ties with existing ones. A SAS 70 can differentiate one service organization from another. As evidence of that, service providers with SAS 70’s often incorporate the overview section of their SAS 70 directly into their marketing material.

It's a sign of assurance. A SAS 70 with an unqualified opinion indicates that the service provider has tight and effective control over its operation; and that the likelihood of financial loss, operational failure or corruption of data is mitigated. A SAS 70 demonstrates that the infrastructure, applications and processes have passed rigorous, independent third-party testing and have an environment that incorporates the processes and controls that are necessary for effectively hosting and/or exchanging corporate data and financial information. Overall, the SAS 70 is a demonstration of both the legal and business commitment to greater levels of reliability, availability and security.

External audit vs. internal understanding. A SAS 70 from a service organization can avoid the possibility of demands for multiple external audits from customers. Such requests can lead to uncontrolled costs, and they may interrupt the flow of normal business operations. They may impact negatively on service organizations’ relationships with their customers. While the SAS 70 can help to avoid these problems, the SAS 70 process in and of itself can also provide real benefits to a service provider. For example, it can lead to improved risk management and heightened controls levels. In addition, the SAS 70 can give management the confidence that key business objectives are being met and that business-critical levels of IT governance are in place.

More information. For more detailed and technical information, please see the white paper "SAS 70 Overview and Planning Guide" available at www.polarcove.com.

1. Linda Leung, Network World, 07/28/03 (www.nwfusion.com)
2. Lucas Mearian, Computerworld, 4/11/05 (www.computerworld.com)
3. Recent press releases from several vendors.

© Copyright Orbidex Inc./Polar Cove, 2004.