A recent analyst report is reminding the compliance community yet again that so-called SAS 70 reports—the supposedly formal assurances software vendors give to corporate customers about their own internal controls—should be viewed with a skeptical eye.
Analysts Jay Heiser and French Caldwell, both research vice presidents at Gartner, say some vendors (and even some of their customers) treat SAS 70 reports as certifications “proving” the vendor’s compliance with privacy or other regulations, ostensibly to ease the corporate customer’s fears about its own compliance risks when entrusting its data to third parties. In truth, SAS 70 reports are nothing of the sort.
