Sabrix says the language it uses in referencing its SAS 70 audit equates simply to a guarantee that it used a third-party independent auditor to examine its controls. “We’ve never misrepresented ourselves,” says Carla Yrjanson, vice president of tax research and content at Thomson Reuters, which acquired Sabrix last year.
There are many variations on the theme. Until July, NetSuite, one of the largest and most successful financial SaaS providers, said on its Website that its SAS 70 “certification” meant that it had “been through rigorous audit of its control over information technology and all related processes,” that customer data was “always backed up and safely stored,” and that it provided reliable service “now and in the future.”
Even if all those claims are true, Schroeder notes that they exaggerate what a SAS 70 audit actually addresses. Simply having a report doesn’t mean the audit was rigorous; no auditor uses words like all and always (which imply a guarantee); and auditors’ SAS 70 opinion letters explicitly note that they make no forward-looking representations.
When CFO inquired about the language NetSuite used, the company quickly changed the statement to say that the audit “documents that we have been through an in-depth audit of our control environment.” With the new language, according to Schroeder, “they got it right.”
“We certainly want to be accurate,” says David Downing, NetSuite’s chief marketing officer. “If the use of the word certified was inaccurate [we wanted to correct it].” He also called on the AICPA to “get control of the process” and provide guidelines for vendors on how to communicate their SAS 70 status.
Indeed, the auditing community may bear some of the responsibility for the misuse of SAS 70, suggests Jim Reavis, executive director of the Cloud Security Alliance. “There is a lot of misleading marketing out there,” he says, “and the auditors are complicit to an extent. They understand the business model of cloud providers, but their own [business model] is to have a narrow scope. There’s plenty of blame to go around.”
Schroeder, in fact, says he frequently gets requests from service vendors to prepare SAS 70 reports for purposes that are outside their intended scope. Even firms with services that don’t affect customer financial statements at all, such as HR or communications software, may try and sometimes succeed in getting SAS 70 audits done. Auditors who take on such jobs may not be fulfilling their professional responsibilities, Schroeder says.
SAS 70 dates back to 1993, but it gained rock-star status after the 2002 Sarbanes-Oxley Act identified it as one way a firm could establish reasonable assurance that a service provider had effective controls over output to clients’ general ledgers. That led most firms to include a SAS 70 audit on their checklist of requirements for such vendors.
Now, with the number of SaaS and cloud-computing providers mushrooming, there is a greater focus on what SAS 70 does and does not address. Vendor and auditor marketing departments aren’t the only ones that should take that into account: so should customers.