Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.


Status message

Start your free, no obligation 5-day trial to continue exploring with full access.

SAS 70 Reports, in Harsh Spotlight Again

Melissa Klein Aguilar | July 27, 2010

A recent analyst report is reminding the compliance community yet again that so-called SAS 70 reports—the supposedly formal assurances software vendors give to corporate customers about their own internal controls—should be viewed with a skeptical eye.

Analysts Jay Heiser and French Caldwell, both research vice presidents at Gartner, say some vendors (and even some of their customers) treat SAS 70 reports as certifications “proving” the vendor’s compliance with privacy or other regulations, ostensibly to ease the corporate customer’s fears about its own compliance risks when entrusting its data to third parties. In truth, SAS 70 reports are nothing of the sort.


Heiser and Caldwell’s report focuses on vendors in the cloud computing market, where corporations outsource their data storage to independent providers and then access that data...

Read this single article for $49, or click the subscribe button below to review subscription options.

Enjoy unlimited access to thousands of articles, browse five years of digital magazines, qualify for reduced admission to events, and more.