Are your software services compliant?

Software as a service poses new challenges for companies with regulatory compliance requirements

In case you haven’t noticed, just about every part of the IT infrastructure must comply with some regulation or other.

I recently covered the news about Siemens’ latest Wi-Fi hardware and software, HiPath Wireless Advanced, which supports compliance with Sarbanes-Oxley (aka Sox), HIPAA, the Gramm-Leach-Bliley Act, and Department of Defense Directive 8100.2, among other government regulations. The Siemens Wi-Fi management component can issue a 20-page report in the blink of an eye, according to Luc Roy, vice president of product planning at Siemens. It allows auditors to know such vital details as the channels on which the data was running, how many files were encrypted, and what other access points were available but not on the system.

Surprisingly, with all the discussion around SaaS (software as a service) in the enterprise, the issue of SaaS supporting public companies’ need for Sox compliance has yet to be discussed. However, it’s difficult to nail down what it means for a SaaS company to be Sox-compliant for the benefit of its customers.

Ian Campbell, CEO of Nucleus Research has a go at an answer. Where SaaS providers used to have to worry about only the technology, he says, when it comes to compliance there is another piece they now need to look at -- whether they have the right processes in place so that, when their customers are audited, the applications and processes delivered online offer the kind of information an outside auditor will accept?

I called the No. 1 SaaS vendor,, to ask if it was incorporating some sort of special Sox compliance into its solution. Unfortunately, the spokesperson said he could find no one who could talk about it. I found that strange.

Nevertheless, because is a public company it has already undergone the scrutiny of a Sox audit. I assume that, by extension, that will be good enough for its customers. It’s the private companies, which currently aren’t required to comply with Sarbanes-Oxley, that you must be concerned about.

One privately held SaaS company, Intacct, claims to have received SAS 70 (Statement on Auditing Standards No. 70) Type II Service Auditors’ Report certification, from Grant Thornton, a leading independent auditor. Intacct does on-demand ERP. CEO Robert Jurkowski says his company is the only SaaS ERP vendor to pass SAS 70.

Under Section 404 of Sox, most companies are required to have an SAS 70 report from their service providers to evaluate controls, operations, datacenters, security, backup, and system availability. I asked Jurkowski what it means to be certified. “It means our processes and ability to support them and make them auditable are in alignment with a public company’s Sox audit,” he said.

If you remember the old days, when you had to be sure you were using a No. 2 pencil or they wouldn’t let you take the SATs, basically that’s what an SAS 70 report is, as far as I can tell. The online provider must be that No. 2 pencil. It doesn’t say how you will do on the test, but it does say you have the right equipment to take it.

If you are considering a SaaS solution for a department, a division, or the whole company, due diligence requires that you make sure the online solution provider you plan to use has SAS 70 or similar certification. Finding one that does, however, might be easier said than done.