Either I don't get it or I'm calling (at least partial) BS on SaS 70

  • Article

Please educate me on SaS 70 as either I don't get it or its importance is in my opinion overly inflated.

I keep hearing from various analysts the importance of SaS 70 (preferably type 2) certification for SaaS vendors; and I of course hear a lot of SaaS vendors who went through the process, gloating about their SaS 70 (preferably type 2) certification. But, unless I am missing the point, SaS 70 is NOT a quality label. According to the web site https://www.sas70.com/about.htm (my emphasis)
SAS No. 70 provides guidance to enable an independent auditor ("service auditor") to issue an opinion on a service organization's description of controls through a Service Auditor's Report (see below). SAS 70 does not specify a pre-determined set of control objectives or control activities that service organizations must achieve. [...] A SAS 70 Audit is not a "checklist" audit.

My understanding is that the auditor will ask about the controls you have in place, and will verify that what you do is what you say you do. Which is IMO very different than verify that what you do is what you should be doing. In other words, the main value of SaS 70 is to have an independent auditor certify that you are not lying about what you are doing, not that you are doing the right thing.

Continuing to read the description of the service:

A Type II report not only includes the service organization's description of controls, but also includes detailed testing of the service organization's controls over a minimum six month period.

Cool, now the auditor is not only making sure you are not lying about what you say you are doing, she will also test for 6months that what you are going to do is what you told her you were doing. This has again the same limitation, the control themselves are not judged, their existence and application is tested for 6 months not their quality. 

The description of the SaS 70 engagement mentions that the service auditor will express an opinion, including whether the controls were suitably designed to achieve specified control objectives. Same story here, the opinion is about whether what you are doing is coherent with your objectives, not an opinion about the objectives themselves. Let's take this ridiculous and extreme example: if you have as an objective to trash the data every week and your controls are a perfect match for trashing data every week, would the opinion be positive? I personally don't know, but based on the way SaS 70 is described it would seem so.

Also, and bear in mind that I have never met a SaS 70 auditor but based on the description they are professionals who have experience in accounting, auditing, and information security.  I hope the one who audited the vendor you are considering buying from, was more of the latter type (information security) and not too much of the former (accounting type). Don't get me wrong, I value CPAs very much, but not necessarily for making sure that the multi tenant database design will be preventing cross tenant data leakage.

Frankly, based on my current understanding (and PLEASE, as mentioned at the beginning of this post, educate me if I am completely missing the point) SaS 70 seems to be more a "checkbox" that SaaS vendors seem to be forced to have due to all the recommendations out there about being certified than something that is really important to actually have.

Yes, making sure that a SaaS vendor is not lying is critical, but (a) hopefully I have other ways of assessing that (e.g. referrals comes to mind) (b) the fact that the vendor is not lying is a necessary condition for me to buy from him, but it is not sufficient. Not lying is not equal knowing what you are doing.

Don't take this post as a mockery of SaS 70, but an attempt to (1) better understand myself what the big deal around SaS 70 is (plus get educated if I am wrong) and (2) hopefully raise some awareness around the possible misconceptions of what SaS 70 really is, so SaaS buyers and vendors understand what they are really getting out of it. 

Are you a SaaS vendor SaS 70 certified? What did you gain (a part from the checkbox)? What was your experience? Please leave a comment, I'd love to know.

P.S.

Maybe I should ask a SaS 70 auditor his own SaS 70 type 2 certificate and see what type of opinions come out :)