Trends Report

SAS 70 Out, New Service Organization Control Reports In

Security And Risk Professionals Must Prepare To Phase Out SAS 70 Today

October 31st, 2011
Ed Ferrara, null
Ed Ferrara
With contributors:
Stephanie Balaouras , Eric Chi

Summary

Developed by the American Institute of CPAs (AICPA), the Statements on Auditing Standards 70 (SAS 70) has been around since 1992. When the Sarbanes-Oxley Act (SOX) of 2002 passed, SAS 70 gained new urgency because auditors used it to assert the suitability of financial controls for a third-party service. Until recently, SAS 70 was the Swiss Army Knife for certifying not just financial controls but all things related to compliance, including information security certification. The AICPA didn't design SAS 70 for these additional purposes, and auditors used SAS 70 inappropriately in many cases. When used for information security certification, CISOs routinely derided SAS 70 as "proving nothing." In response to this and other issues, the AICPA introduced new audit standards this year to replace SAS 70. This report provides insight to CISOs on these new audit standards and their effectiveness in auditing service providers for information security compliance.

Want to read the full report?

Contact us to become a client

This report is available for individual purchase ($1495).

Forrester helps business and technology leaders use customer obsession to accelerate growth. That means empowering you to put the customer at the center of everything you do: your leadership strategy, and operations. Becoming a customer-obsessed organization requires change — it requires being bold. We give business and technology leaders the confidence to put bold into action, shaping and guiding how to navigate today's unprecedented change in order to succeed.