Is your saas system in line with sox compliance requirements
1. Is your SaaS system in line with SOX
compliance requirements?
Adoption rates for Software as a Service (SaaS) have grown exponentially in the past few years,
and with reason. A SaaS vendor can help companies implement software more quickly and less
expensively than IT systems that require local installs. Many SaaS products also allow universal
access and real-time updates. The benefits of SaaS systems are numerous, but one overarching
concern has hampered the potential for universal SaaS adoption: data security. Many businesses
are uncomfortable with trusting their internal data to an external location and relying on a
SaaS vendor’s infrastructure to keep information safe from corruption and theft. In addition,
there are legal implications involved with storing company data off-site. Sarbanes-Oxley
Act (SOX) compliance requirements stipulate that a company is fully responsible for its own
data, regardless of whether the data is stored on-site or entrusted to an outside vendor.
So how do you maximize the benefits of SaaS while minimizing the risk of data issues or legal
trouble?
SaaS and data security
There is a major misconception related to SaaS -- that it’s more vulnerable than internally stored
data systems. While it’s true that SaaS data can be compromised, it’s more accurate to view SaaS
security threats as “different” rather than “more extensive.”
In fact, in-house storage systems may be less secure than your average SaaS software. Whereas
the SaaS vendor’s business model is built on data storage and security, these considerations are
incidental for many other businesses. Also, consider the fact that in-house solutions require
constant upkeep and maintenance, which the average IT personnel might have difficulty
completing. Good SaaS vendors can eliminate this problem by offering regular updates and
knowledgeable maintenance in the event of a malfunction.
SOX compliance requirements are the concern for most publicly traded companies, particularly
when it comes to financial data storage. The reason for this is very simple: A company’s signing
officers are responsible for fair and complete financial statements to remain SOX compliant. If
there is a discrepancy between reported and actual data, they could face severe punishments, up
to and including jail time.
Obviously, if such a company is considering external data storage that has any relation
whatsoever to financial information, it’s going to require assurance that the data is secure.
Fortunately, there are ways to check for that security and determine the trustworthiness of
potential SaaS vendors.
2. SAS 70: A cure for the common corruption
If a company uses a SaaS vendor, that vendor should be required to submit a SAS 70 audit
report. The SAS 70 report demonstrates the accuracy and completeness of a vendor’s internal
controls. Further, it can obviate a company’s physical audit of said vendor, saving time and
money.
There are two types of SAS 70 audits: Type I and Type II. The Type I audit determines the
adequacy of a SaaS vendor’s internal controls, and whether or not they have been fairly and
completely described. Type II audits look at the same controls but take it further by testing them.
A Type II audit is much sounder and may even be required by a company’s own auditors. But
many vendors begin with a Type I audit and then undergo a Type II audit should the need arise.
A company should examine the sensitivity of data being stored with a SaaS vendor, and then
determine what type of audit is preferable. If it makes more sense, the company can conduct a
Type II audit later.
A SAS 70 report is an excellent method of evaluation, but it isn’t a substitute for a solid contract
between a company and a SaaS vendor. In addition to making sure that auditors accept the
report, a company must determine that the report has been read and understood.
When it comes time to solidify a business relationship, a company might want to consider some
of the following stipulations in the SaaS contract:
Advanced warning of system notifications, along with set time requirements and who
must be notified.
Uptime percentage guarantees.
Notification of outages, including a resolution plan and timetable.
List of backup procedures.
Tech support policies and procedures.
Physical security procedures.
Device and media controls.
Use of system monitoring tools.
Take these security measures into account, and SaaS should not pose a more significant threat
than on-site data storage. If you have the opportunity to introduce SaaS systems into your
organization, it is certainly worth the examination to determine the extent to which it can
streamline your company. Odds are it will match up with some or all of your data needs.
Reference Link: http://searchcompliance.techtarget.com/tip/Is-your-SaaS-system-in-line-with-
SOX-compliance-requirements