Audits Can Evaluate ASP's Security Measures

24 May 2001
As an Internet attorney, I have many clients who outsource some of their company's technology-related tasks to application service providers, or ASPs. Often, their top concern is security--how much of it are they getting from their ASPs, and how do they know that their ASPs are really giving them the best security available?

Ironically, the one solution that may provide a panacea for my security-conscious clients is the one thing that few ASPs do. I'm referring to the shamefully underused process of a "Statement on Auditing Standards Number 70" audit, or "SAS70" audit.

If you own or manage an ASP, then you should seriously consider the benefits offered by an SAS70 audit. If you're the customer of an ASP, you might want to shop around for an ASP that has successfully completed a SAS70 audit.

"Building a trusted online environment should be a significant part of an ASP's business plan," says Jeff Sopshin, a CPA and Partner with Ernst & Young. "An SAS70 certification can help build this trust."

What's an SAS70 Audit?

The American Institute of Certified Public Accountants first developed the SAS70 audit standard in 1993. They designed it to provide baseline guidance in the area of electronic data security. There are two types of SAS70 audits: Type I and Type II.

A Type I audit is like a snapshot of your ASP's security system. It's a one-time engagement that tells whether the safety precautions of your ASP are working correctly at the time the audit was performed.

A Type II audit is analogous to a short documentary about your ASP's security. It evaluates the same things as a Type I audit, but they do a Type II audit over many months. The advantage is that it evaluates both the efficacy and consistency of your ASP's security system.

The Need for ASA70

Three or four years ago (which is the computer industry equivalent of the Stone Age), if you asked your ASP about its security precautions, you were handed a service level agreement, which described your ASP's security system in general terms.

And, mind you, we're talking about really general terms. Some of the oldies but goodies included, "industry standard security" (which, depending on the "industry," was either very good, or all-out rotten), "industry leading security" (which, again, ranged from "great" to "we're an accident waiting to happen") or my personal favorite, "reasonable security." To me, "reasonable security" was akin to saying, "Whatever everybody wants." Of course, what you wanted always differed from what they wanted.

Today, however, consumers are more educated about the risks involved in outsourcing, and they're not willing to settle for vague and ambiguous security standards. Not surprisingly, ASP clients are demanding more security precautions.

Enter the SAS70 audit.

The Pros and Cons

OK, I admit it. Nothing good in life is cheap or easy, and an SAS70 audit is no exception to this rule. That being said, there are three reasons why ASPs shy away from SAS70 audits.

First, a SAS70 audit is a painstaking process, performed only by CPAs or licensed auditors with nimble fingers and unforgiving calculators. Second, it isn't cheap. Third, depending on the type of audit being performed and the existing internal controls, a SAS70 audit can take more than six months to complete.

Still, the advantages of a SAS70 audit can greatly outweigh the financial and logistical inconvenience it may cause. For example, let's say that you're the owner of an ASP. If you want to stay competitive, you have to find a way to continuously reassure your customers that your ASP is operating in a safe and secure manner. Also, you probably want to find a more efficient way to complete the multiple security audit requests that you receive from your corporate customers yearly. According to Jeff Sopshin, many organizations that undergo a SAS70 audit are able to take the opportunity to strengthen their internal control processes and find efficiencies.

Through SAS70 certification, you can do both. First, you can confidently advertise the fact your ASP has been deemed safe and secure by independent auditors-your customers will like that. Second, you could consolidate all security audit requests into a single yearly audit, and simply provide a SAS70 Report to your customers upon request.

Now look at it from your customer's point of view. Let's say that the CEO of Company X decides to outsource its payroll and accounting services to your ASP. Undoubtedly, one of the first questions that your ASP will get from Company X's Board of Directors is, "How do we know that our data is safe?"

If your ASP was SAS70 Type I certified, you could tell Company X that your ASP's protocols were audited from the inside out, and that an independent CPA certified that your ASP adhered to its stated principles of privacy, security and reliability. If your ASP was SAS70 Type II certified, you could tell Company X that independent auditors have concluded that your ASP not only adheres to its privacy and reliability principles, but that it does so consistently. This is one of those win-win situations. Don't make excuses for not doing the audit. Find reasons to get it done.

Mark Grossman's "TechLaw" column appears in numerous publications. Mark Grossman has extensive experience as a speaker as well. If you would like him to speak before your group or corporate meeting, please call (305) 443-8180 for information.

You can find a TechLaw archive at:

If you have any comments, please send them to

Disclaimer: The advice given in the TechLaw column should not be considered legal advice. This newsletter only provides general educational information. You must never rely upon the advice given here. Your individual situation may not fit the generalizations discussed. Only your attorney can evaluate your individual situation and give you advice.

Except as provided below, you may feel free to forward, distribute and copy the TechLaw column if you distribute and copy it without any changes and you include all headers and other identifying information. You may not copy it to a Web site.