Monday, March 09, 2009

SAS 70 Audits for Windows Azure and SQL Data Services?

I cross-posted the Will SDS Undergo a SAS 70 Type I or Type II Audit Prior to Release? If Not, When? question of 3/6/2009 from the Windows Azure forum to the SDS forum because the original had received no response by 3/9/2009:

Is it the SDS Team's intention to have a service auditor perform an AICPA Statement on Auditing Standards No 70, “Report on the Processing of Transactions by Service Organizations”, Type I or (preferably) Type II audit in time that would permit the result of the audit to be available by SDS's RTW?

I’m certain that enterprise-scale organizations subject to Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA), IT audits, or all three, will need an SAS 70 from the cloud storage vendors to meet IT governance standards. Here’s part of what Microsoft’s Software as a Service (SaaS): An Enterprise Perspective 2006 whitepaper by Gianpaolo Carraro and Fred Chong has to say about SAS 70:

Statement on Auditing Standards No. 70 (SAS 70) is an international auditing standard that enables businesses that provide services to other organizations to provide an independent, trustworthy account of their internal control practices. An SAS 70 audit is performed by an independent auditor and results in an SAS 70 report, which the service provider supplies to its customers and clients for use when they themselves are audited. SAS 70 is not a law, but auditing and disclosure standards in various jurisdictions around the world (such as Sarbanes-Oxley in the United States) make up-to-date SAS 70 reports a de facto requirement for any business that provides services to other businesses, and any SaaS provider should consider having one readily available for examination.

SAS 70 is not a stamp of approval, in that it does not dictate a minimum set of standards that an organization must meet. An SAS 70 report only documents the internal control practices of an organization, without offering any judgment as to whether they are satisfactory. Due diligence therefore requires that you not only request an SAS 70 report from a prospective SaaS provider, but that you examine it thoroughly to determine whether the provider is able to comply with your own internal standards for privacy, data security, and so on. For example, if a local privacy law requires that your customers' personal financial data be stored in an encrypted form at all times, a provider's SAS 70 report will reveal whether the provider's own data-storage practices will enable you to remain in compliance with the law.

Amazon published Amazon Web Services: Overview of Security Processes on 9/5/2008, which contains the following statement regarding SAS 70 audits:

AWS is working with a public accounting firm to ensure continued Sarbanes Oxley (SOX) compliance and attain certifications such as recurring Statement on Auditing Standards No. 70: Service Organizations, Type II (SAS70 Type II) certification.  These certifications provide outside affirmation that AWS has established adequate internal controls and that those controls are operating efficiently.

The publication covers security processes for Amazon EC2, Amazon S3, and SimpleDB.

As of the date of this post, AWS had not replied to the following review question of 1/23/2009:

Is there an estimated time in which you think AWS will obtain this certification?

I believe the SDS and Windows Azure teams should announce their intentions regarding recurring SAS 70 audits for the Azure Services Platform and SDS without further delay.

Update 3/9/2009 12:00 PM PDT: NDB, LLP’s Cost [of a] SAS 70 Audit | An Auditor’s Opinion on Pricing for SAS 70 Audits estimates the cost of a SAS 70 type I audit “range from $15,000 to 20,000 for a Type I and $25,000 to $35-40,000 for a Type II.”

Sumner Blount interviews CA’s Vice President of IT Compliance, Rob Zanella, about compliance issues in cloud computing in Expert Q and A: CA’s Rob Zanella on Cloud Computing and Compliance of 3/9/2009.