An ASP Security Step That Matters

A security guarantee is a stickier issue than ever for ASPs and their clients. The under-used SAS 70 audit has big benefits for both sides.

As an Internet attorney, I have many clients who outsource some of their company’s technology-related tasks to Application Service Providers. Often, their number one concern is security — how much of it are they getting from their ASPs, and how do they know that their ASPs are really giving them the best security available?

Ironically, the one solution that may provide a panacea for my security-conscious clients is the one thing that few ASPs do. I’m referring to the shamefully underused process of a “Statement on Auditing Standards Number 70” audit, or “SAS70” audit.

If you own or manage an ASP, then you should seriously consider the benefits offered by an SAS70 audit. If you’re the customer of an ASP, you might want to shop around for an ASP that has successfully completed a SAS70 audit. Jeff Sopshin, a CPA and partner with Ernst & Young, agrees and believes that “building a trusted online environment should be a significant part of an ASP’s business plan and that a SAS70 certification can help build this trust.”

What is an SAS70 Audit?

The American Institute of Certified Public Accountants first developed the SAS70 audit standard in 1993. It designed it to provide baseline guidance in the area of electronic data security. There are two types of SAS70 audits, Type I and Type II.

A Type I audit is like a snapshot of your ASP’s security system. It’s a one-time engagement that tells whether the safety precautions of your ASP are working correctly at the time the audit is performed.

A Type II audit is analogous to a short documentary about your ASP’s security. It evaluates the same things as a Type I audit, but they do a Type II audit over many months. The advantage is that it evaluates both the efficacy and consistency of your ASP’s security system.

The Need for SAS70

Three or four years ago (which is the computer industry equivalent of the Stone Age), if you asked your ASP about its security precautions, you were handed a service level agreement or “SLA,” which described your ASP’s security system in general terms.

And, mind you, we’re talking about really general terms. Some of the oldies but goodies included, “industry standard security” (which, depending on the “industry,” was either very good, or all-out rotten), “industry leading security” (which, again, ranged from “great” to “we’re an accident waiting to happen”) or my personal favorite, “reasonable security.” To me, “reasonable security” was akin to saying, “Whatever everybody wants.” Of course, what you wanted always differed from what they wanted.

Today, however, businesses are more educated about the risks involved in outsourcing, and they’re not willing to settle for vague and ambiguous security standards. Not surprisingly, ASP clients are demanding more security precautions than an SLA can provide.

Enter the SAS70 audit.

The Pros and Cons

Ok, I admit it. Nothing good in life is cheap or easy, and the SAS70 audit is no exception to this rule. That being said, there are three reasons why ASPs shy away from SAS70 audits.

First, a SAS70 audit is a painstaking process, performed only by CPAs or licensed auditors with nimble fingers and unforgiving calculators. Second, it isn’t cheap. Third, depending on the type of audit being performed and the existing internal controls, a SAS70 audit can take more than six months to complete.

Still, the upside of a SAS70 audit can greatly outweigh the financial and logistical inconvenience it may cause. For example, let’s say that you’re the owner of an ASP. If you want to stay competitive, you have to find a way to continuously reassure your customers that your ASP is operating in a safe and secure manner. Also, you probably want to find a more efficient way to complete the multiple security audit requests that you receive from your corporate customers on a yearly basis.

According to Ernst & Young’s Sopshin, many organizations that undergo a SAS70 audit are able to take the opportunity to strengthen their internal control processes and find efficiencies.

Through SAS70 certification, you can do both. First, you can confidently advertise the fact your ASP has been deemed safe and secure by independent auditors — your customers will like that. Second, you could consolidate all security audit requests into a single yearly audit, and simply provide a SAS70 report to your customers upon request.

Now, look at it from a customer’s point of view. Let’s say that the CEO of Company X decides to outsource its payroll and accounting services to your ASP. Undoubtedly, one of the first questions that your ASP will get from Company X’s Board of Directors is, “How do we know that our data is safe?”

If your ASP was SAS70 Type I certified, you could tell Company X that your ASP’s protocols were audited from the inside out, and that an independent CPA certified that your ASP adhered to its stated principles of privacy, security, and reliability. If your ASP was SAS70 Type II certified, you could tell Company X that independent auditors have concluded that your ASP not only adheres to its privacy and reliability principles but also that it does so on a consistent basis.

This is one of those win-win situations. ASPs shouldn’t make excuses for not doing the audit, and customers shouldn’t ignore this certification when doing business with an ASP.

Posted by on May 21, 2001