Friday, October 28, 2011

SAS 70 Type II Is Not Enough

It's interesting how so many cloud providers point to their SAS 70 Type II attestation. Having been through the process of a SAS 70 Type II audit for a SaaS finanical services firm I'll point out the major gaps that providers do not make clear about a SAS 70 attestation.
  • A SAS 70 Type II attestation is about financial controls, not operations, not security. Therefore if something does not impact the finances of a company it is considered out of bounds for the audit. Remember the AICPA (American Institute of Certified Public Accountants) governs the SAS70 auditing standard. I respect accountants and auditors but I have yet to find one who I can't make their head spin with technobabble.
  • There is no standard for the contents of the attestation. The SAS 70 contains self reported financial controls. Therefore each company, by shopping for an auditor, can intentionally omit germane information and still have an attested report.
  • The attestation report is not available to non-customers by rule. If it is shared with a customer it is a violation and that alone should make someone wonder. Even as a customer there is often a significant cost associated with getting a copy of a SAS 70 audit report (in the tens of thousands of dollars based on my experience).
  • The attested report simply validates that the organizations does what it says it does. During the audit it is possible to obfuscate issues because the audits do not contain a significant amount of process execution observation.
A more proper standard given the significant concern over cloud security is ISO 27001 focused on information security. And it is my understanding from friends in the audit industry better standards and guidance are coming.

Demand more; don't be satisfied with a SAS 70 Type II audit. And if you can't get your hands on it your missing nothing.

No comments:

Post a Comment