Memo to Ops Teams - get Savvy about SAS70

Without getting too deep ito the weeds - security is handled on three levels:

  • By the service provider - by using various techniques and technologies to secure the access, communication and storage of data
  • By your practice - by utilizing hardware and software to secure our network and computers
  • By your users - being careful with their usernames and passwords and how they handle the data you manage

The latter two are clearly under your control. The service provider security is not. An important component for any service provider who works in the "cloud" of the Internet should be a SAS 70 audit. SAS 70 is shorthand for Statement on Auditing Standards: Number 70. It was established by the American Institute of Certified Public Accountants (AICPA). The SAS 70 defines the processes and controls a service provider has in place to correctly manage their business. As it is most popular with service organizations - it also reflects how the process and controls in place to insure the information they have about you and your business is secure.

There are two types of SAS 70 reports - a Type 1 and Type II. The Type I documents the aforementioned process and controls. The Type II - more valuable to you as a decision maker in selecting a vendor - also includes the affirmation of an independent auditor's review and testing of the process and controls.

In my view - for the most critical and confidential data your business handles (account numbers, tax ids, bank and medical data, etc.) a Type II SAS 70 should be required for vendor selection. This is an investment by your service provider to attest and confirm they have the process and controls in place to effectively manage their business and secure your confidential data.

A final note - not only should technology vendors be asked for a SAS 70 by your practice - but also any other service provider who interacts or stores your data at some point in the business process.



This Website Is For Financial Professionals Only