Let’s be clear, SAS70 should be sentenced to a quick and painful death in the bottom of a giant pit protected by 20-foot thick concrete walls where it should be buried forever, along-side other IT criminals such as Windows ME and IE6.
While SAS70 has its place in financial auditing, it should never have been used as a standard for IT or information security.
I understand that the use of SAS70 for IT sprang from a lack of reasonable alternatives. Given the general dislike for SysTrust and WebTrust, auditors and their clients had to get creative. The only alternative at the time was SAS70.
In retrospect this choice makes perfect sense. It’s unfortunate that the security industry has become so dependent on the SAS70 because somehow it’s become the de facto standard. SAS70 is a lousy IT standard at best because it offers everyone an easy way to pass a security audit when their programs deserve a failing grade.
The flaws in SAS70 for IT are enormous, but the biggest has to be that it lacks a standard framework. Sure, the AICPA established guidelines and recommendations, but in practice the controls tested are up to the company being audited. This means that a SAS70 audit for IT essentially boils down to a short conversation:
The client says to the auditor, "Hey I did this"(insert any minimal security oriented practice). The auditor says, “Yup, so you did. You get a gold star and my audit stamp of approval. Here is your SAS70 report.”
W00t, mission accomplished!
As you might imagine, SAS70 audits are a breeding ground for IT sleights of hand. Let’s say you’ve been having problems with backups, but passing the upcoming SAS70 audit is part of your MBOs. You are undaunted because you know the ropes and are an ‘evolved’ survivor of many IT audits. You reach out to the auditor before the audit period begins and ask them to remove the backup control from the audit. Problem solved! The significant risk of audit failure is instantly reduced. Your MBOs are safe.
As long as clients can add or remove controls as desired, it should be perfectly clear that SAS70 is not a meaningufl standard framework, and this makes it useless in comparing various vendors.
An SAS70 IT certification by itself is nearly meaningless. Underneath in small type it should say, “Buyer, beware!” Even after you get your hands on the SAS70 report for a specific vendor, and this is a non-trivial accomplishment in itself, it’s entirely up to you to read and understand the report control by control.
This means that you as the buyer first have to sit down and decide which controls are important to your business goals. Then you have to study through all the reports to find out which of the potential vendors you are evaluating were audited for those specific controls.
This takes a lot of time and it’s not easy to get this far, but you are nowhere near done because even simple procedures can vary widely from vendor to vendor.
Let’s go back to our backup example for an illustration of how much room for ‘interpretation’ there is in SAS70 audits. A SAS70 audit can document that a specific vendor completes backups daily, but how long is the data retained? Is the data retained in a safe location? And, are the backups encrypted? Are backups taken offsite?
If you aren’t asking more detailed questions about your prospective vendors’ backup processes, you don’t really know very much about them.
Without proper guidance from standards like COBIT to guide the audit framework, there is enormous latitude in this one simple control and, therefore, huge room for error in the larger report. This is why it’s impossible to compare one vendors’ SAS70 report to another.
As an IT professional that has evaluated many SAS70 reports, I firmly believe the usefulness of a SAS70 audit report is pretty close to zero.
SAS70 still has a place in financial auditing, but the time has come to get rid of it for IT audits forever. It lacks any kind of precision and forces customers to spend enormous amounts of time in due diligence interpreting the fuzzy results.
Watch out SAS70, there’s a new IT standard in town and it’s called the SOC2.
In follow-up posts, I’ll be discussing the value of the SOC2.