Is your SaaS system in line with SOX compliance requirements?

A SaaS vendor can provide many benefits, but adhering to SOX compliance requirements remains a concern. Here’s help to stay compliant when using Software as a Service.

Adoption rates for Software as a Service (SaaS) have grown exponentially in the past few years, and with reason. A SaaS vendor can help companies implement software more quickly and less expensively than IT systems that require local installs. Many SaaS products also allow universal access and real-time updates.

More on SaaS

Application transformation necessitates strategic SaaS vendor review

SaaS BI gains traction in the enterprise

The benefits of SaaS systems are numerous, but one overarching concern has hampered the potential for universal SaaS adoption: data security. Many businesses are uncomfortable with trusting their internal data to an external location and relying on a SaaS vendor’s infrastructure to keep information safe from corruption and theft. In addition, there are legal implications involved with storing company data off-site. Sarbanes-Oxley Act (SOX) compliance requirements stipulate that a company is fully responsible for its own data, regardless of whether the data is stored on-site or entrusted to an outside vendor.

So how do you maximize the benefits of SaaS while minimizing the risk of data issues or legal trouble?

SaaS and data security

There is a major misconception related to SaaS -- that it’s more vulnerable than internally stored data systems. While it’s true that SaaS data can be compromised, it’s more accurate to view SaaS security threats as “different” rather than “more extensive.”

In fact, in-house storage systems may be less secure than your average SaaS software. Whereas the SaaS vendor’s business model is built on data storage and security, these considerations are incidental for many other businesses. Also, consider the fact that in-house solutions require constant upkeep and maintenance, which the average IT personnel might have difficulty completing. Good SaaS vendors can eliminate this problem by offering regular updates and knowledgeable maintenance in the event of a malfunction.

SOX compliance requirements are the concern for most publicly traded companies, particularly when it comes to financial data storage. The reason for this is very simple: A company’s signing officers are responsible for fair and complete financial statements to remain SOX compliant. If there is a discrepancy between reported and actual data, they could face severe punishments, up to and including jail time.

Obviously, if such a company is considering external data storage that has any relation whatsoever to financial information, it’s going to require assurance that the data is secure. Fortunately, there are ways to check for that security and determine the trustworthiness of potential SaaS vendors.

SAS 70: A cure for the common corruption

If a company uses a SaaS vendor, that vendor should be required to submit a SAS 70 audit report. The SAS 70 report demonstrates the accuracy and completeness of a vendor’s internal controls. Further, it can obviate a company’s physical audit of said vendor, saving time and money.

The benefits of SaaS systems are numerous, but one overarching concern has hampered the potential for universal SaaS adoption: data security.


There are two types of SAS 70 audits: Type I and Type II. The Type I audit determines the adequacy of a SaaS vendor’s internal controls, and whether or not they have been fairly and completely described. Type II audits look at the same controls but take it further by testing them. A Type II audit is much sounder and may even be required by a company’s own auditors. But many vendors begin with a Type I audit and then undergo a Type II audit should the need arise. A company should examine the sensitivity of data being stored with a SaaS vendor, then determine what type of audit is preferable. If it makes more sense, the company can conduct a Type II audit later.

A SAS 70 report is an excellent method of evaluation, but it isn’t a substitute for a solid contract between a company and a SaaS vendor. In addition to making sure that auditors accept the report, a company must determine that the report has been read and understood.

When it comes time to solidify a business relationship, a company might want to consider some of the following stipulations in the SaaS contract:

  • Advanced warning of system notifications, along with set time requirements and who must be notified.
  • Uptime percentage guarantees.
  • Notification of outages, including a resolution plan and timetable.
  • List of backup procedures.
  • Tech support policies and procedures.
  • Physical security procedures.
  • Device and media controls.
  • Use of system monitoring tools.

Take these security measures into account, and SaaS should not pose a more significant threat than on-site data storage. If you have the opportunity to introduce SaaS systems into your organization, it is certainly worth the examination to determine the extent to which it can streamline your company. Odds are it will match up with some or all of your data needs.

Curt Finch is CEO of Journyx Inc. Connect with him through Facebook, Twitter or via his blog. Write to him at [email protected].

Dig Deeper on Risk management and governance

Cloud Computing
Mobile Computing
Data Center
and ESG