SAS 70 certification validates that Sabrix operates as a certified and trusted outsourced tax research provider that meets the rigorous operational controls associated with Sarbanes-Oxley compliance.

That declaration, which resided at press time on the Website of Sabrix, a tax-management software-as-a-service (SaaS) provider, is typical of the language that SaaS vendors and other third-party service organizations use to highlight the importance of auditor reports that are based on the guidance known as Statement on Auditing Standards No. 70.

Yet the professionals that conduct SAS 70 audits and the organization that develops auditing standards both warn that such descriptions often mischaracterize the nature and purpose of SAS 70. While marketers routinely exaggerate the value of all kinds of external validations, from "Ten Best" car lists to "Best Places to Work" rankings, corporate IT decision-makers must beware this overreach, because as the rush toward SaaS and other forms of cloud computing accelerates, understanding the true capabilities of third-party service providers becomes more critical than ever.

A SAS 70 audit is a check on a service firm's controls over processes and systems that could have an impact on the accuracy of entries in its customers' general ledgers. Audit firms and the American Institute of Certified Public Accountants (AICPA) are concerned that as more service providers trumpet their receipt of a clean SAS 70 audit, misunderstandings about what the reports truly address will result in the finger of blame (and the lawsuits that may follow) being pointed at auditors for failures that lie outside the scope of SAS 70.

"The way SAS 70 reports are being marketed, service organizations are implying a level of assurance and trust that simply doesn't exist," says Dan Schroeder, a partner with accounting firm Habif, Arogeti & Wynne and chairman of the AICPA's Information Technology Executive Committee. "It is grossly over the top."

There are two types of SAS 70 audits. Type 1 merely describes the services provided and the financial controls in place with regard to them. Type 2, which is where the controversy mainly resides, additionally offers an opinion as to whether there was reasonable assurance that the controls were operating effectively during a defined time period. Any broader claims about what a SAS 70 audit means are likely to be invalid.

In part, that's because SAS 70 reports are meant to be shared only with the service provider's customers and the customers' auditors, for use in helping them evaluate controls over outsourced functions. Trying to claim that the mere existence of a report has value to potential customers, which is implicit in marketing activities, "doesn't make sense," says Chuck Landes, vice president of professional standards and services for the AICPA.

The implication that "because you have a report anyone can trust you to meet their specific needs," says Schroeder, who specializes in SAS 70 audits, "is a misrepresentation of what SAS 70 is about."

Auditor Angst
What grates on the auditors, in particular, is the use of the terms "SAS 70 certified" or "SAS 70 compliant," which they argue imply guarantees or the meeting of statutory or regulatory requirements that in fact don't exist. A vendor voluntarily engages an auditor to prepare the report, and there is no specific criteria for its content. "When somebody says they are 'SAS 70 certified,' I have no idea what that means," says Landes.

Sabrix says the language it uses in referencing its SAS 70 audit equates simply to a guarantee that it used a third-party independent auditor to examine its controls. "We've never misrepresented ourselves," says Carla Yrjanson, vice president of tax research and content at Thomson Reuters, which acquired Sabrix last year.

There are many variations on the theme. Until July, NetSuite, one of the largest and most successful financial SaaS providers, said on its Website that its SAS 70 "certification" meant that it had "been through rigorous audit of its control over information technology and all related processes," that customer data was "always backed up and safely stored," and that it provided reliable service "now and in the future."

Even if all those claims are true, Schroeder notes that they exaggerate what a SAS 70 audit actually addresses. Simply having a report doesn't mean the audit was rigorous; no auditor uses words like all and always (which imply a guarantee); and auditors' SAS 70 opinion letters explicitly note that they make no forward-looking representations.

When CFO inquired about the language NetSuite used, the company quickly changed the statement to say that the audit "documents that we have been through an in-depth audit of our control environment." With the new language, according to Schroeder, "they got it right."

"We certainly want to be accurate," says David Downing, NetSuite's chief marketing officer. "If the use of the word certified was inaccurate [we wanted to correct it]." He also called on the AICPA to "get control of the process" and provide guidelines for vendors on how to communicate their SAS 70 status.

• 1
• 2
• 3
• next »