As an IT strategist if you are stuck in choosing the right on demand application that fits your bill, Applying SAS70 compliance as a filter criteria  will make your life better. Otherwise ever growing list of on demand software solutions to choose from for every business makes your life really difficult..

We all know that Software as a service model helps and supports ISV’s achieve the following:,

  • Reduces sales barriers
  • Increases  market penetration
  • Perpetual revenue
  • Helps enter new markets, geogrpahies and segments
  • Manage Upgrade and interop control

These factors have made budgetary allocations for SaaS based apps with priority on IT budgets. However there is a strong possibility that you might end up buying a SaaS app which is not of the standards that are required to be met and lesser than satisfactory SLA’s. Some time back, the concerns in choosing a SaaS app were mostly security and how they fare against on-premise solutions, but the  market now has matured as there are a many on-demand solutions for every vertical or horizontal aspect of applications. So how does an IT professional distinguish between the good and better solutions? How can he/she judge whether the SaaS provider will stand up to its SLAs, whether the data is secured and operational procedures exist and are followed?

SAS70 – Advantages and Disadvantages

Statement on Auditing Standards No.70 (SAS 70) is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA) in 1992. It is used to report on the “processing of transactions by service organizations”, which can be done by completing either a Type I or a Type II audit. A SAS 70 Type I is known as “reporting on controls placed in operation”, while a SAS 70 Type II is known as “reporting on controls placed in operation” and “tests of operating effectiveness” (http://www.sas70.us.com/what-is/definition-of-sas70.php). This is the only authorized certification thats available right now to really ratify a on-demand software.

Most importantly just like any other compliance SAS70 allows and mandates companies to follow a set of standard operating procedures (SOPs) . Secondly the fact that you are choosing a SAS70 certified app makes you distinguish yourself from the pack and the crowd.

However the shortcoming from the SAS70 side of thing is it was defined way back from when the ASP’s ruled the world and SaaS was not even there. So companies have still ways to avoid the critical documentation and get away with it.

Way forward

SAS70 certainly puts the building blocks required to have a tighter compliance regime around the way on demand software apps are built, procured, used and deployed. However it can be further improved to ensure it covers operational, security and longevity of the software service provider so that choosing the right on demand ISV apps becomes a streamlined practice.

What does it mean for ISVs and SaaS engineering service providers

ISV apps that are providing on demand versions on top of their hosted and on premise solutions might want to make sure they satisfy the SAS70 regulations to help them better serve the customers. Technology Vendors specializing in providing engineering services for SaaS enabling current ISV products need to appropriately understand the nuances of compliance and regulatory software building. Vendors who position themselves to do this are bound to be successful be it from an ISV angle or from a offshore engineering service provider angle. We at Imaginea recognize this as a compelling proposition going forward.