Home > IT controls, SaaS, SAS 70, SOC 1, SOC 2, SOC Audits, SSAE 16 > Passing the Buck

Passing the Buck

I had an interesting discussion with a SaaS vendor the other day at a networking event. This particular vendor supplies a system to automate certain functions of a company’s accounts payable process. They extract data from the customer and place it in a web based portal for suppliers to utilize for checking on payment status, expediting payment, resolving payment disputes, etc. Clearly this service has a direct impact on financial reporting for their customers, so I asked “Who performs your Service Organization Control examination?” Of course I had to follow with a reference to SAS 70 so that she knew what I was talking about.

“Oh, LargeHosting.com” was her reply (fictional name).

Confused, I asked for clarification. “LargeHosting.com performs your SOC examination?” I asked.
“No, they provide it for us. We host our services with them.”

Now the picture was getting clearer. “So I’m guessing then that you don’t have an SSAE 16 or SOC 2 review performed independently?”
“No, why should we? LargHosting.com is responsible for all of the redundancy, backup and security of our services.”
“What about the controls around the actual sending and receiving of data from your customers? You know, like how do you ensure that if Acme sends you 115 invoice records, that you receive them all and they were accurately filed in the data base to the correct customer?”
“OH! We do that regularly with our customers. If we have a file transmission issue, we call them and tell them to resend the data.”
“What happens if your programmers make a mistake in the code resulting in errors for your customers that impact their financial statements?”
“We have a very robust change management process that would catch any errors like that. If one did happen to get through we would obviously correct the error and apply a patch to our code as quickly as possible.”

Here we have a large publicly traded company outsourcing a key part of the management of their Payables function to a SaaS vendor that does not have any third party attestation around the services they perform. The SaaS provider is relying completely on their hosting company to provide evidence of controls to satisfy the needs of their customers’ auditors and management. And as a result, the customer and their auditors have no third party attestation of the fundamental controls over the development, update, management, and operation of the application controlling this significant business process.

The troubling thing is, this is not the first instance of this scenario that I have encountered. I’ve had several SaaS providers tell me they don’t need to have a SOC report because their hosting company provides them with one.

I am curious to know if the auditor for the publicly held customer has any idea that the controls they should be most interested in understanding (interfaces, input, processing, output, reporting) for the purposes of their financial statement audit are not being addressed by the SOC report provided by LargeHosting.com on behalf of their auditee’s SaaS provider. My guess is the audit team did what most audit team’s do – they asked for the “SAS 70” for the SaaS provider, received a copy of the SOC report for LargeHosting.com, checked the box on the appropriate audit work paper, and moved on.

As a result, their audit of financial statement controls is missing an important component to a critical financial statement line-item. Does your SaaS provider provide you with independent attestation? If not, perhaps it’s time you ask for it.

  1. June 17, 2012 at 10:00 AM

    Good points David. Thank you for putting a spotlight on these issues. I have seen this problem too. Companies will present their datacenter’s SOC report as assurance regarding their controls as long as their clients will accept it. It is when they start getting larger clients, that they find out that their datacenter’s report is not good enough.

    The scary thing is that this practice is actually encouraged by datacenters. Check out one of my first blog posts (http://bit.ly/zntg5h) where I highlighted a legal notice on the first page of a very large datacenter’s SOC 1 report that addresses their customer’s customer. This is clearly a violation of the restricted use rules. Assurance is not supposed to extend to a customer’s customer.

    I’m not sure what the solution is, but I have an idea that will help…the AICPA needs to institute an entry level assurance that small businesses can cut their teeth on similar to the Self Assessment Questionnaire that the Payment Card Industry has. I wrote a blog post on the topic here: http://bit.ly/Mdz3lV

  2. June 18, 2012 at 1:25 AM

    Great / slightly technical post on what is missing. I am sure that in the early stage of SaaS / Cloud deployment, lots of these issues will come up. Here is an opportunity for you to step up and help companies (for pay) to take care of all these quality and regulatory issues. I work with a company designing and integrating VoIP systems. In the financial sector the same issues come up with call recording and call tracking helping agents and QA managers assure prompt and propper service for financial customers. We certainly need to write more about this and inform whole industries and key workers of the issues and the solutions available now, and also missing… Thanks for taking the time to write a general and clear statement on the situation today. Take a look at Tikal Networks’ SaaS solution, also early in the cloud deployment phase: http://bit.ly/tikalSAAS

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: