SAS-70 audits assess the internal controls, in particular the data-security controls, of outsourcing providers. These checks have become a regular part of Section 404 compliance. The problem is, they cost a lot, and "it isn't clear that they are all that effective," says Jonathan G. Gossels, president of information security firm SystemExperts.
Part of the issue is that SAS-70 audits are not standardized; each accounting firm performs them differently. "If I were a CFO, I would want to know that my outsourcers have been measured against an objective standard, not one the auditor made up," says Gossels. Some audits, he says, look only at existing policies, not best practices. For example, if a company does not have a policy to prevent new data servers from being deployed with their default passwords, there is no guarantee that the audit will uncover it. Another problem is that the audits don't necessarily test every one of the outsourcing provider's facilities.
Larry Runge, CFO of dbaDirect, a data-infrastructure management firm, says the concerns are misguided. While he agrees that client firms need to ask about audit criteria, he is comfortable with the level of assurance the audit provides. More to the point, he says, "I don't see another alternative."
But Gossels has another suggestion: abandon the SAS-70 audit in favor of a "more comprehensive" international standard, such as ISO 27002. Rather than allow negotiation on procedures, ISO 27002 sets specific standards that must be met to earn what Gossels considers a meaningful seal of approval.