SAS 70 is Not Proof of Security, Continuity or Privacy Compliance

• Email
• Print
• ( 0 )
• 

According to Gartner, Inc. statement on Auditing Standards (SAS) 70 is being misused by many vendors.

According to Gartner, Inc. statement on Auditing Standards (SAS) 70 is being misused by many vendors, and often their customers and certified public accountants (CPAs), in the hosted-application, software as a service (SaaS) and cloud computing spaces.

Gartner analysts said SAS 70 is too often treated by vendors and their customers as a certification \"proving\" security and compliance with privacy or other regulations that require enterprises to monitor their exposure to vendor risks.

\"SAS 70 is basically an expensive auditing process to support compliance with financial reporting rules like the Sarbanes-Oxley Act (SOX),\" said French Caldwell, research vice president at Gartner. \"Chief information security officers (CISOs), compliance and risk managers, vendor managers, procurement professionals, and others involved in the purchase or sale of IT services and software need to recognize that SAS 70 is not a security, continuity or privacy compliance stan

dard, he added.

SAS 70 published by the American Institute of Certified Public Accountants (AICPA), provides a service provider\'s auditor with guidance on how it should report on process-related risks relevant to financial statements and transaction processing. Intended for use by the customer\'s auditor, the result of a SAS 70 is either a Type I attestation that the processes as documented are sufficient to meet specific control objectives, or a Type II attestation, which additionally includes an on-site evaluation to determine whether the processes and controls actually function as anticipated.

\"Many providers of traditional application hosting, SaaS and cloud computing are currently treating SAS 70 as if it were a form of certification, which it is not,\" said Jay Heiser, research vice president at Gartner. \"Furthermore, some claim that SAS 70 addresses security, privacy and continuity, which is misleading. Instead, it is only a generic guideline for