Over the last few weeks, many service organizations have started to receive requests from customers wanting to know the “controls standard” used as the basis for their SAS 70 audits. These requests initially seemed like a strange coincidence, but eventually it became clear that something was causing the inquiries. A quick Google search was all it took to identify the source, a Gartner report issued in late June, entitled “SAS 70 Is Not Proof of Security, Continuity or Privacy Compliance,” written by analysts Jay Heiser and French Caldwell. This one report has spawned more derivative articles on the topic of SAS 70 than any other in the standard’s history. Unfortunately, the report includes a statement that is regularly misinterpreted by readers. Now that the report has gone “viral,” service organizations must prepare to respond to questions about the basis of their SAS 70 report.
I first read the Gartner report when it was released. Its contents were so innocuous that I hardly gave it a second thought. Articles proclaiming that a SAS 70 audit is not a security assessment are a dime a dozen. But this report is different. Despite its title, the document does not deride the SAS 70 standard. Instead, in less than 10 pages, the report provides the basic information regarding the SAS 70 audit and its proper use by service organizations, their clients, and CPA firms.
A major finding of the report is that the SAS 70 audit is not a security or compliance audit and does not result in a certification. For anyone familiar with the SAS 70 standard, this finding is not newsworthy. But toward the end of the report, the authors suggest alternative standards that may be “adopted” when proof of security, continuity or privacy compliance is required. They describe ISO 27001/2, BITS Shared Assessments, SysTrust, WebTrust, and AT Section 101, all of which contain a prescriptive collection of security and compliance controls, with the exception of AT Section 101.
Unfortunately, the use of the word “adopted” is having unintended consequences. Some readers are incorrectly interpreting this to mean “adopted as the basis for a SAS 70 audit” even though the report makes no such recommendation. In fact, it uses the term “alternative assessment standards” when referring to the other standards. While the report does not explicitly state this, it seems clear that the authors intended to identify the alternative standards as being complementary to the SAS 70 standard rather than as a suggested basis for a SAS 70 audit. This is further evidenced when the report uses phrases such as “instead of the SAS 70” when discussing the use of the alternative standards.
Of course, Gartner reports always attract significant attention and these issues are being compounded by the hundreds of subsequent articles on the report, many of which further confuse the situation. For example, Compliance Week has already published two articles on the Gartner report entitled “Study Faults SAS 70 Audits for False Sense of Security” and “SAS 70 Reports, in Harsh Spotlight Again.”
Forgive me, but this is misleading. The study does not fault SAS 70 audits as the cause of any false sense of security. Instead, it blames misuse and ignorance for causing the false sense of security. The report essentially concludes that SAS 70 audits work for the purposes intended, and not so well when used otherwise. I suppose someone could interpret that as criticism, but for most of us, it merely states the obvious.
The combination of these issues means that service organizations are now being forced to respond to illogical questions regarding the “basis” of their SAS 70 audit. One organization responding to client inquiries generated by the Gartner report is Peak 10, a managed services company operating multiple data centers located throughout the United States.
According to David Kidd, Peak 10’s director of quality assurance and compliance, “Our response has been that our SAS 70 audit is designed to report on the controls we have implemented to meet the needs of our clients, versus the controls that are suggested by any number of well known risk management standards which may not appropriately specify controls suitable to our business or our customer’s needs.” While Peak 10 does not use any alternative standards as the basis for its SAS 70 audit, Kidd stated “Our management incorporates ‘best practice’ guidance from outside standards, such as ISO 27002, COSO, PCI DSS, and others when designing and implementing controls, but we customize our controls based on what makes the most sense for us and our customers.”
Service organizations responding to inquiries on this topic should consider the following points when preparing a response to customers:
- Statement on Auditing Standard (SAS) No. 70 is the only required basis for a SAS 70 audit. It has a very specific purpose, and that purpose cannot be achieved through any alternative standard.
- In the absence of technical citations to the contrary, there is absolutely no authoritative professional guidance that suggests that a SAS 70 audit should be based on any alternative standard.
- The well known standards, such as ISO 27002 and COBIT, include codes of “best practice” controls that are normally specific to IT and compliance topics. They are also largely common sense, which means that organizations instinctively implement some subset of the controls, and usually without any consideration of the standards. For example, all organizations recognize the need to secure access points to their facilities and do so without ever studying ISO 27002 section 9.1.2 – “Physical entry controls”. Many controls included in these alternative standards may appear in some form in a SAS 70 report, but the overlap is often just a coincidence.
- Alternative standards each have a specific purpose. It is possible that an organization could need both a SAS 70 audit and an assessment performed in accordance with an alternative standard depending on the reporting objectives of the service organizations and their customers’ needs. However, it is incorrect to assert, for example, that ISO 27002 compliance can, or should be, assessed in the form of a SAS 70 audit.
In other words, service organizations should not allow a misunderstanding of the SAS 70 standard or process to persist. SAS 70 audits are “based” on the needs of service organizations and their customers, and are not based on alternative standards promulgated by organizations unrelated to the practice of public accounting. The flexibility of the SAS 70 standard over prescriptive standards is its strength. It allows the standard to be applied to a wide variety of business and IT processes far beyond the limited purview of each alternative standard. By understanding this distinction, service organizations can use the client inquiries generated by the Gartner report as an excellent opportunity to extol the virtues of their customized SAS 70 audit scope, as well as their organization’s awareness of these issues.