There are tons of resources about SAS70 and Sarbanes-Oxley on the web.
In a nutshell, SAS 70 is a Statement on Auditing Standards (SAS) for service organizations, developed by the American Institute of Certified Public Accountants (AICPA). It demonstrates that a firm has proper controls and processes to protect the data belonging to their customers (very important!). The SAS 70 report is issued by an independent auditing firm and includes the auditor’s opinion on the service organization’s controls. A SAS 70 report is particularly important since it is the preferred method of providing assurance for service organization clients subject to Sarbanes-Oxley Section 404.
These days, service organizations enjoy talking about their Type I and Type II SAS 70 reports when it comes to marketing their applications. A type I report includes the auditor’s opinion regarding to which extent the organization represents its controls, and their description. A type II report includes all the info in the type I report, plus the auditor’s opinion on how effective the controls are during a defined period.
This being said, according to the SAS 70 website and other online resources, “SAS 70 does not specify a pre-determined set of control objectives or control activities that service organizations must achieve”. This means that customers need to review the disclosed controls and ensure they are sufficient to meet their objectives and their own auditor’s requirements. It also means that a SAS 70 report does not guarantee data security.
More detailed information about SAS70 can be found on the SAS 70 website, on Wikipedia and from Deloitte.
How do Sales Performance Management Systems Stack Up?
As I mentioned above, since SAS 70 does not prescribe which controls should be used, it is not possible to compare SPM / EIM vendors. However I tried to find as much information as possible with respect to SAS 70 certification for every vendor.
Callidus
| SAS 70 Type: |
“Meets SAS-70 compliance” |
| Controls: |
N/A |
| Sources: |
Link 1 |
| Comments: |
|
Centive
| SAS 70 Type: |
Type II |
| Controls: |
N/A |
| Sources: |
Link 1 |
| Comments: |
Completed January 2008 |
EIM Software
| SAS 70 Type: |
“Guaranteed SAS-70 compliance” |
| Controls: |
N/A |
| Sources: |
Link 1 |
| Comments: |
|
SalesForce.com
| SAS 70 Type: |
Type II |
| Controls: |
N/A |
| Sources: |
Link 1 |
| Comments: |
The article dates from 2004 |
Synygy
| SAS 70 Type: |
“Completed SAS Audit” |
| Controls: |
N/A |
| Sources: |
Link 1 |
| Comments: |
|
Varicent
| SAS 70 Type: |
N/A |
| Controls: |
N/A |
| Sources: |
Link 1 |
| Comments: |
SAS70 Type II data center |
Xactly
| SAS 70 Type: |
Type I |
| Controls: |
Full redundancy throughout the production infrastructure, regular security patch updates, on-going evaluation of potential security threats |
| Sources: |
Link 1 Link 2 |
| Comments: |
SAS70 Type II data center |
Julienldionne's Weblog 