Monday, February 4, 2008

SAS70 Audit for On-Demand Sales Performance Applications

There are tons of resources about SAS70 and Sarbanes-Oxley on the web.

In a nutshell, SAS 70 is a Statement on Auditing Standards (SAS) for service organizations, developed by the American Institute of Certified Public Accountants (AICPA). It demonstrates that a firm has proper controls and processes to protect the data belonging to their customers (very important!). The SAS 70 report is issued by an independent auditing firm and includes the auditor’s opinion on the service organization’s controls. A SAS 70 report is particularly important since it is the preferred method of providing assurance for service organization clients subject to Sarbanes-Oxley Section 404.

These days, service organizations enjoy talking about their Type I and Type II SAS 70 reports when it comes to marketing their applications. A type I report includes the auditor’s opinion regarding to which extent the organization represents its controls, and their description. A type II report includes all the info in the type I report, plus the auditor's opinion on how effective the controls are during a defined period.

This being said, according to the SAS 70 website and other online resources, “SAS 70 does not specify a pre-determined set of control objectives or control activities that service organizations must achieve”. This means that customers need to review the disclosed controls and ensure they are sufficient to meet their objectives and their own auditor’s requirements. It also means that a SAS 70 report does not guarantee data security.

More detailed information about SAS70 can be found on the SAS 70 website, on Wikipedia and from Deloitte.

How do Sales Performance Management Systems Stack Up?
As I mentioned above, since SAS 70 does not prescribe which controls should be used, it is not possible to compare SPM / EIM vendors. However I tried to find as much information as possible with respect to SAS 70 certification for every vendor.

Callidus
SAS 70 Type:“Meets SAS-70 compliance”
Controls:N/A
Sources:Link 1
Comments:

Centive
SAS 70 Type:Type II
Controls:N/A
Sources:Link 1
Comments:Completed January 2008

EIM Software
SAS 70 Type:“Guaranteed SAS-70 compliance”
Controls:N/A
Sources:Link 1
Comments:

SalesForce.com
SAS 70 Type:Type II
Controls:N/A
Sources:Link 1
Comments:The article dates from 2004

Synygy
SAS 70 Type:“Completed SAS Audit”
Controls:N/A
Sources:Link 1
Comments:

Varicent
SAS 70 Type:N/A
Controls:N/A
Sources:Link 1
Comments:SAS70 Type II data center

Xactly
SAS 70 Type:Type I
Controls:Full redundancy throughout the production infrastructure, regular security patch updates, on-going evaluation of potential security threats
Sources:Link 1 Link 2
Comments:SAS70 Type II data center

No comments:

Blog Search

Blog Directories

Sales Blogs - BlogCatalog Blog Directory

Enter your email address:

Delivered by FeedBurner

Add to Technorati Favorites

Companies Linking to Me







Tags

About Me

My photo
Ottawa, Ontario, Canada
Julien Dionne is a well-rounded consultant with global business management experience and outstanding technical, business and leadership skills. He earned a Bachelor of Applied Science in Software Engineering from the University of Ottawa, Canada, and he is a member of the Canadian Professional Sales Association. The views posted within this blog do not reflect the views of Julien’s current or previous employers and clients. Julien can be reached at julien.dionne@gmail.com