SaaS + SOX = SAS 70 Type II Certification

IT general controls should be followed for any better managed IT organization irrespective of regulatory requirements like SOX. (period) When it comes to verification of IT general controls for SOX audits (internal or external), it is not the question of best practice nor nice to have, but, it is a must have requirements. Generally in an organization, the testing/verification of IT general control by an external auditors are not performed for all the systems for all the controls. It is tested against a set of applications that are directly or closely related to financial statements. It is common for an organization to classify their systems as SOX systems and non SOX systems. IT controls are strictly followed for the SOX systems (it should be!!)

SaaS (Software as a Service) model will be widely used in the future and will play a significant role in any future IT landscape. How the SOX requirements can be fulfilled with the SaaS model? How internal and external IT auditors will be able to test the IT general controls if an IT service is provided by an external service provider?

What is SAS 70 and Type I & Type II report?

SAS (aka Statement on Auditing Standards) 70 is an auditing standards for the service providers (service organization) to enable the auditors to valuate the service organization’s IT general control and write a report on effectiveness testing of the IT general controls. The audit report of service organization’s can be used by the user organization and user organization auditors.

Type I Report
Focuses on the service provider’s IT relevant controls and their objective. Auditors validates the controls and express an opinion on if the controls are fairly presented and suitable to meet the stated objectives.

Type II Report
Type I report + assessment of effectiveness of the control over a period of time (not less than 6 months) and report can be provided as a evidence of the effectiveness testing of the IT general controls to the stated objectives.

Should an IT organization mandate SAS 70 Type II certification from all SaaS service provider?

American Institute of CPA (AICPA.org) published an applicability document

The way I understand the document is that the SAS 70 Type II certification is required if the service organization provides a service or transactional operations which are significant to the financial statement. With this understanding, let us say if an organization is sourcing financial controlling and reporting to a service provider (as a SaaS model) then the service organization is required to have SAS 70 Type II certification. If an organization is souring a marketing web site to a service provider (SaaS or ASP model), then the service organization is NOT required to have SAS 70 Type II certification.

Advertisements

4 Responses

  1. You should expect next year’s audireport to be an SSAE No.16 as opposed to a SAS70, with some more duties for management!

  2. Thanks for that info. I wasn’t sure what SSAE 16 was until I looked it up at http://www.ssae-16.org.

    Some good info to know!

  3. […] SaaS + SOX = SAS 70 Type II Certification Posted on July 2, 2008 by prabasiva […]

  4. Nice post. I used to be checking constantly this blog and I’m inspired! Extremely useful info specifically the closing section 🙂 I handle such information much. I used to be looking for this particular information for a very long time. Thank you and good luck.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: