SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
In A Post- Sarbanes-
Oxley, SaaS World
McKenna Partners LLC,
for SpearMC Consulting (Booth
What is SaaS?
What is SAS 70?
Security risks in a SaaS environment
Who is McKenna Partners LLC?
McKenna Partners LLC is a specialized
boutique consulting firm, with expertise
in Mexico and Latin America.
We focus on serving other professional
services firms and industry in the area
of internal control, IT governance. and
Francine McKenna, President, is also
the author of the blog, re: The Auditors
Who is SpearMC?
SpearMC is a full-service consulting
and technology services firm.
We focus on Oracle/PeopleSoft suite of
The company was founded in 2001 by
KPMG / BearingPoint alumni
In growing world of SaaS multi-tenancy
and virtualized/shared computing
resources, how are SAS 70 issues getting
It’s a bit out of date to just get a traditional
data center SAS 70 certification when
resources are being co-mingled across
customers, and often hosted at a sub-
Depending on SAS 70s for a real level of
assurance in a SaaS environment is
Do your applications have the controls
needed to insure the integrity of financial
reporting as well as support complex
Statement on Auditing
Standards No. 70 (SAS 70)
• An international auditing standard that
enables businesses that provide
services to other organizations to
provide an independent, trustworthy
account of their internal control
Oracle and SaaS
• Leading vendors have adopted the Oracle SaaS
Platform for developing and delivering secure,
scalable and easy to integrate Software as a Service
• The move to SaaS or On-Demand presents several
technical challenges for software vendors and
hosting service providers.
• ISVs have to support multi-tenancy, integration and
• Hosting service providers have to support scalability,
performance, security, patching, service level
management and billing.
SaaS vs. On-Demand
• SaaS architectures generally can be
classified as belonging to one of four
quot;maturity levels,quot; whose key attributes
are configurability, multi-tenant
efficiency, and scalability.
• SaaS means software.
• On-Demand can mean anything -
(bandwidth, computing power, storage,
• Level 1 - Ad-Hoc/Custom: Each customer has its own
customized version of the hosted application and runs its own
instance of the application on the host's servers. Reduces
operating costs by consolidating server hardware and
administration. (ASP model)
• Level 2 - Configurable: Provides greater program flexibility
through configurable metadata, so that many customers can use
separate instances of the same application code. Vendor meets
different needs of each customer through detailed configuration
options, while simplifying maintenance and updating of a
common code base. (Modified ASP)
• Level 3 - Configurable, Multi-Tenant-Efficient: Adds multi-
tenancy to the second level, so that a single program instance
serves all customers. This approach enables more efficient use
of server resources without any apparent difference to the end
user, but ultimately is limited in its scalability. (Standardized
ASP or Software On-Demand)
• Level 4 - Scalable, Configurable, Multi-
Tenant-Efficient: At the fourth and final SaaS
maturity level, scalability is added through a
multi-tier architecture supporting a load-
balanced farm of identical application
instances, running on a variable number of
servers. The system's capacity can be
increased or decreased to match demand by
adding or removing servers, without the need
for any further alteration of application
What is the implication for SAS
• In an ASP, the vendor hosts your
application controls in their ITGC
environment. Do they maintain your app
controls and meet your standards on
• In a pure SaaS with standardized
instance, you accept the vendor’s
application and ITGC and controls. Do
they meet your standards?
Who performs a SAS 70 “audit”
• A SAS 70 audit is performed by an
independent auditor and results in a
SAS 70 report, provided by service
provider to its customers and clients for
use when they themselves are audited.
Current uses and objectives of
• SAS 70 is not a law, but an auditing and
disclosure standards in various
jurisdictions around the world such as
Sarbanes-Oxley in the United States.
This means up-to-date SAS 70 reports
are a de facto requirement for any
business that provides IT services to
Due diligence therefore requires that you
not only request a SAS 70 report from a
prospective SaaS provider, but that you
examine it thoroughly to determine
whether the provider will be able to
comply with your own internal standards
for privacy, data security, and so on.
The earlier you start this conversation,
What purpose does a SAS 70
• All SaaS providers should be prepared to
provide SAS 70 reports.
• Not a stamp of approval.
• No minimum standards.
• A SAS 70 report documents internal control
practices of an organization, without offering
any judgment as to whether they are
satisfactory. This is up to the user
Customers must tell providers
which controls are important and
what standards are expected.
• Example: If local privacy laws require
your customers' personal financial data
be stored in encrypted form at all
times, a SAS 70 report will document
whether the provider's own data-
storage practices will enable the
customer to be in compliance with the
SaaS providers should be prepared to
answer questions from potential
customers during demos/evaluations.
They often point to controls to be
expected later and attested to by SaaS
IT General Controls - The
Auditors Bottom Line
• The COBIT framework may be used to assist with
SOX compliance, although COBIT is considerably
wider in scope.
• 2007 SOX guidance from the PCAOB and SEC state
that IT controls should only be part of the SOX 404
assessment to the extent that specific financial risks
• Scoping decision part of entity's SOx top-down risk
assessment. Statements on Auditing Standards 109
(SAS109) discusses the IT risks and control
objectives pertinent to a financial audit.
IT General Controls
• Control Environment, or those controls designed to shape the
corporate culture or quot;tone at the top.”
• Change management procedures - controls designed to ensure
changes meet business requirements and are authorized.
• Source code/document version control procedures - controls
designed to protect the integrity of program code
• Software development life cycle standards - controls designed
to ensure IT projects are effectively managed.
• Security policies, standards and processes - controls designed
to secure access based on business need.
More IT General Controls
• Incident management policies and procedures - controls
designed to address operational processing errors.
• Technical support policies and procedures - policies to help
users perform more efficiently and report problems.
• Hardware/software configuration, installation, testing,
management standards, policies and procedures.
• Disaster recovery/backup and recovery procedures, to enable
continued processing despite adverse conditions.
Where’s my data?
•Due to compliance and data privacy
laws in many countries, knowing data
locality is critically important to meeting
•With cloud computing and Saas, issue is
a challenge. You often don’t know where
data is being stored or where application
is really being run.
•“Don’t worry. Be happy.”
Separate but equal - data
• Multi-tenancy is a SaaS advantage, but
mixing my data with my competitors is
• Users must never see data they are not
authorized to see.
• My data should never be seen by other
customers, especially competitors.
Right user, right time - Data
• You know how to protect data from
unauthorized access within your organization.
Roles, responsibilities, access, and
authorization policies and procedures
controlled within most IT organizations.
• Saas providers must be able to reassure
regarding access, authorization, activity
monitoring and segregation of duties.
Who is watching and how?
• Log management and security information
and event management solutions readily
available for internal IT.
• Access logs are critical to compliance,
operations and security. SaaS providers
should provide logs as part of normal service.
Who are you? Why are you
here? Authentication and
•Many companies have designed IT infrastructure so
all authentication, goes through single application
such as Active Directory.
•If user credentials stored in SaaS provider
databases, controls must be in place for
•Could insist on delegation of authentication process
to your LDAP/AD server to maintain control if
provider’s controls not up to internal standard.
Too much of a good thing? Web
•SaaS applications have to be used and
managed over the web (in a browser.) How
secure is your provider’s web application from
breaches such as hacking?
•Verizon says 59% of breaches are due to
hacking. Maybe SaaS providers should start
considering providing something similar to
what PCI DSS has required of merchants.
The Enemy Within - Data
breaches from insiders
•Responsibility for segregation of duties and
access authorization still falls on customers,
not providers when data is on the cloud.
•Take into consideration provider employees.
They have access to even more info and a
single incident exposes info from many
•Example: Soc Gen - All IT controls
implemented by IT management, but no one
PCI DSS - Not Optional
•SaaS providers must be compliant
with PCI DSS in order to host
merchants that are required to
•Similar non-negotiable requirements
for other industries such as financial
services or health care.
• Tough Security Questions For SaaS
Providers Part 1 and 2 at the Blog for
• Wikipedia Information Technology Controls
entry (from COBit)
• Wikipedia entry on Software as a Service
• ISACA - The Information Systems Audit and
SpearMC Education Sessions:
Now that SOX is behind us. What about SAS70?
– Session 52070 on Thursday 12/4/08
– Utopia D from 8:30 – 9:30
Project Costing and Workflow at Transunion
– Session 51850 on Thursday 12/4/08
– Nirvana B from 1:30 – 2:30
Advanced PeopleSoft Financial Security Reporting
– Session 52060 on Friday 12/5/08
– Nirvana B from 8:30 – 9:30