In today’s business community many organizations are shifting towards using Software as a Service (SaaS) application deployments to reduce costs and gain efficiencies by streamlining IT operations. SaaS is replacing many in house developed or purchased applications and functions at an increasingly growing rate. In fact, according to this roundup of cloud computing forecasts put together by Forbes, the bulk of new IT spending in the next three years will be on cloud based or SaaS application deployments. The figures predicted by Gartner are staggering; they noted in Forbes that within the next five years they predict that enterprises will spend $921 billion on public cloud services.
While this rush to cloud computing and the SaaS model may be great initially for the bottom line, there are plenty of risks that may be lurking under the surface. For example, consider the following:
- Is data at the SaaS organization stored safely, securely and is it encrypted?
- Who may access certain data at the SaaS organization?
- Does the SaaS organization use another sub-service provider such as a data center or hosting facility to physically store data and systems? Do these subservice organizations have the appropriate controls in place to protect the data they are custodians of?
- Does the SaaS organization have appropriate controls in place to ensure that their network is not susceptible to hacker intrusion attempts?
- Does the SaaS organization develop their software code according to best practices and appropriate coding standards to ensure that their applications themselves cannot be hacked?
- Does the SaaS organization have appropriate controls in place to ensure that the application is available at all times?
These above items are only the tip of the iceberg when it comes to assessing risk at SaaS providers. Management should expect that any Software as a Service organization provide transparency into their operations to alleviate concerns surrounding these types of risks.
Transparency should be attained by requesting and reviewing the SaaS provider’s Service Organization Control (SOC) report, specifically a SOC 2, Type 2 report. A SOC 2, Type 2 report is an independent auditors report that uses a standardized set of predefined criteria where SaaS organizations are uniformly judged against by the auditor. These criteria, called the Trust Services Principles and Criteria (TSPC), are comprised of five domains (Security, Availability, Confidentiality, Processing Integrity and Privacy), of which a SaaS organization can be tested against. The American Institute of Certified Public Accountants (AICPA) suggests that customers of Software as a Service organizations should be concerned about the Security, Availability, and Confidentiality domains of control.
Don’t let your organization be left in the dark, make sure your SaaS or cloud service providers have a SOC 2, Type 2 report so that you may gain clarity on the SaaS provider’s controls and their operating effectiveness. If you work with a SaaS or cloud services provider and they do not have a SOC report or if you are not sure if one is needed, feel free to contact a member of our team to discuss the risk. Contact Eric Wright at 412-697-5328 or Dan Desko at 412-697-5285.
© 2014 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.
This advice is not intended or written to be used for, and it cannot be used for, the purpose of avoiding any federal tax penalties that may be imposed, or for promoting, marketing or recommending to another person, any tax related matter.