SaaS Concerns

How will they Impact Vendor Compliance Requirements?

SaaS or Software-as-a-Service has grown steadily in popularity over the past few years mainly due to its low cost, low maintenance, reduced time to deploy, and multi-platform functionality.

However, this growth has also given rise to concerns over data integrity and SOX (Sarbanes-Oxley) regulatory requirements.

SOX Compliance
The SOX Act places responsibility squarely on the signing officers regarding the integrity of financial statements. They are also responsible for the implementation and status of internal controls and are required to report any gaps and deficiencies.

SAS 70 Audit
To minimize any issues that might arise related to this concern, it is important for organizations to obtain a SAS (Statement of Accounting Standards) 70 Audit Report from their SaaS vendor. This is an assurance from the vendor of the implementation of internal standards and controls which will ultimately assist in the protection of company data. There are two types of SAS 70 reports – Type I and Type II, both of which will form part of the company's auditable list of controls.

Data Concerns
Cell phones and portable memory sticks are a huge corporate liability. Mobile devices are not within the confines of the company's firewall. Companies who regularly share critical data with their SaaS vendor should examine their policies closely in order to address concerns about data encryption, length of time the data will remain with the vendor, removal, types of devices used by the vendor and steps the vendor takes to protect the company data.

Coverage and Protection
Companies that comply with SOX requirements must require their vendors to include regular audits of data security. Companies should also assess whether the controls in place are sufficient with adequate data protection systems including backup procedures, disaster recovery, internal policies and controls.