Part III – The trouble with SAS 70 audits

In my last post, I wrote a bit about Joe’s sub shop. Specifically, I used an analogy to show there are certain things you should expect and be able to see when it comes to safety, whether it’s gloves and hairnets for food preparation or an audit report like SysTrust for data center compliance. Now, I’m going to build on the same analogy to get into some of the specific shortfalls of the common SAS 70 audit.

Let’s start by reevaluating what our visit to the sandwich shop might look like when using a vendor that only provides a SAS 70 audit from their data center provider. I think you’ll find that the experience would likely be very different and much less enjoyable.

Just as before, you pull into the parking lot, drive past the other stores, and then park in the back where Joe’s is located. But, when you walk up to the counter, there’s no menu.

You see, in a SAS 70 audit, the cloud vendor’s report can only be distributed to existing customers… and even then, it’s only intended to be read by other auditors. This is why most cloud vendors will only offer a letter from an executive affirming that they have completed a SAS 70 audit when a prospective customer asks for proof that they’ve completed an audit.

They’re not being intentionally difficult by withholding the full report. They’re just following the AICPA’s (American Institute of Certified Public Accountants) own guidance for how SAS 70 reports should be distributed.

After looking to the left, to the right, up at the ceiling, down at the floor, back behind you and under the stack of napkins (that menu has to be here somewhere!!), you shrug and ask the employee by the register:

“Do you sell roast beef sandwiches?”The employee responds: 

“Yes, that’s my favorite sub!”As you watch another customer exit the store with a sub sandwich that is packed with a variety of exotic ingredients, you realize you better not make any assumptions about what Joe puts on his roast beef sandwich.

“Can I see a menu so I know what’s in your roast beef sandwich and what options I have?”The employee responds:

“I can’t give you a copy of the menu until AFTER you’ve bought something. Sorry.”You sigh heavily, look to the heavens hoping for an explanation of why you have to endure such foolishness and reluctantly buy a soda.

The employee thanks you for your purchase and then hands you a letter from the owner of the store, Joe. It essentially states that the menu does in fact exist and then goes on to celebrate that their financial auditors have observed the sub shop over the course of several month and have concluded that the ingredients listed within the menu are accurate.

The employee clearly expects you to be impressed with this letter, but you instead feel disoriented… like everyone else is in on the joke except you.

“But I still don’t know if the roast beef sandwich contains onions?!?! I’m allergic to onions. My doctor says I shouldn’t eat them.”The employee gleefully responds that the full menu, including the ingredient list for their roast beef sandwich, is being sent to your accountant.

Hopefully, you get the point I’m making. Because the SAS 70 audit format was designed to support the need of financial audits, they can represent a serious challenge for customers attempting to use them as the primary means of ensuring a cloud vendor’s services meet their particular compliance needs.

ALL of the information is in the audit report but gaining access to that report involves jumping through a series of silly hoops or ignoring the AICPA’s own guidance for how SAS 70 audit reports should be distributed.

To be clear, I’m not saying that SAS 70 is a bad audit format. It just ill suited for this particular purpose. The SAS 70 audit format was originally designed to support financial audits. The self-defined objectives and limited report distribution portions of the standard are perfectly reasonable within that context. Problems arise only when a SAS 70 audit is used for a general purpose IT audit for services delivered at Internet scale.

Next time, in the final part of this series, my topic will be, “the trouble with data center audits.” Stay tuned, but in the meantime, please let me know if there are questions or concerns I can address.

2 Responses

  1. Erin Joy says:

    Thanks for the clarity around the SAS 70 audit. I’m curious to know what you recommend for this particular purpose? Perhaps I should ‘stay tuned’ for the next in series!

  2. Justin Alexander says:

    Hi Erin,

    Thanks for reading my post and for asking an excellent question.

    My advice is to seek out cloud vendors that offer their own audit report. I also recommend giving strong preference to prescriptive audit standards that are explicitly targeted toward information technology systems and processes, such as SysTrust® and ISO 27000.

    For ISO 2700, organizations must pay a small fee to download the audit standard.

    The SysTrust principles can be downloaded for free. This is one of the reasons OnBase OnLine uses this standard. We feel that is also aligns very well with the specific needs of the ECM industry.

    http://www.webtrust.org/principles-and-criteria/item27818.pdf

Leave a Reply

Your email address will not be published. Required fields are marked *

You may also like...