MediClick’s year-long journey into SAS70 taught us much about the auditing process, and we now feel well prepared for future audits. Toward the beginning of 2008, a few industry colleagues had tainted my view of the assessment standard. With great reservation and consideration, MediClick’s management team decided to embark on the daunting SAS70 voyage into the unknown. By December 2008, though, MediClick had navigated the sometimes perilous audit without incident, exceeding my expectations and enlightening my view of the auditing process.

To wrap up this trilogy, I will reflect on a few of the topics I’ve learned during MediClick’s SAS70 travels:

• What makes a SAS70 Type 2 audit successful?
• What are the important components of an audit report for the SaaS consumer?
• What is the fate of the SAS70 audit?

Successful SAS70 Audit

It’s now the end of 2010 and the dust has settled from three successful SAS70 Type 2 audits at MediClick. This begs the question “what exactly is a successful audit?” In the SAS70 report, each control objective is listed and test cases are described. Results are documented for each test case. From a pure report point of view, success is having no relevant exceptions reported from all test cases. That is the simple answer, but reality is more complex; it comes down to two key elements:

    1.       Management Awareness

Is management aware of the activities occurring within its company? Are there meetings to establish corporate direction and confirm results? Is there an approval process for software enhancements and access rights to operational systems? Are all access to networks and physical locations shut down when an employee is terminated? The bottom line is that management must be aware of and approve activities within the organization as revealed through paper or electronic documents.

    2.       Segregation of duties

I remember talking to an IT executive about his SAS70 process; he said his company had to revert to a SAS70 Type 1 audit rather than a Type 2 audit. If you recall from previous blogs, a Type 1 audit states the control objectives without any testing. His company failed the Type 2 audit process because the auditors discovered that developers had been deploying code directly into production from their desktops. As you might imagine fixes were lost when one developer overlaid changes by another. Source code control was nonexistent.

This illustrates the basic point of the segregation of duties, you need a separate team to deploy, test applications in a QA environment and install them into production systems.

Important Components of an Audit Report

I should also note that MediClick also receives SAS70 audits from our partners. The hosting sites for our production and hot fail-over servers provide us with their SAS70 reports. So what do you do if you are a recipient of a SAS70 report? The answer is simple: READ IT.

I recall a fellow Triangle Technology Executive Council member who complained about some loose practices of a SaaS provider he was using. He complained to the provider’s management team and their response was: “You shouldn’t be surprised; these exceptions are noted in our SAS70 report.” I asked him what he did with the report when he received it. His reply: “I filed it in my drawer without turning a page.” Lesson learned!

There is a section of the report to which you should pay particular attention. Titled User Control Considerations, the section essentially lists controls that the SaaS user must implement to mitigate any risks within his operations while using the application. In short: it’s your responsibility! Examples are:

• Ensuring your organization has adequate bandwidth to the Internet
• Providing secure access to each application user
• Creating your own policies and procedures for user access, such as disabling application access upon an employee’s termination

Reading the SAS70 report gives great insight into the SaaS provider’s operations. There were several incidents where I felt certain control objectives of importance to MediClick were missing from our providers’ report. Case in point: one of our hosting sites provides full back-up management services for MediClick. In their report, they tested the control objective regarding the back-up and transfer of the tapes to Iron Mountain. The missing element, which I felt was critical, was the test that validated if the back-up tapes were actually readable! The end result was to add these tests to our own control objectives.

Fate of the SAS70 Audit

Finally, what is the future of the SAS70 audit? It’s changing next year and will be SSAE 16, which is Statement of Standards for Attestation Engagements 16. All service providers with an opinion period ending after July 2011 will be under the new guidelines (please don’t hold me to this as these dates have a tendency to change). You can find further details at http://www.ssae-16.com/. In short, the goal of this process is to align the United States with international standards as designated by the IAASB standards on assurance engagements (http://www.ifac.org/IAASB/); ISAE 3402 (http://www.ssae-16.com/category/isae-3402/).            

It appears new challenges are forming on the horizon. But that’s another trilogy.