The Benefits of a SAS 70 Security Audit for Market Research Firms
C+R Research received the final copy of our first SAS 70 audit about three weeks ago. It was the end of a year-long effort to review and re-think our privacy and security policies and procedures, and everyone involved was elated when we passed with flying colors.
But I’ve been thinking, now that the hard work and occasional frenzy that got us to this point is over, what the real value of all that effort really was. And I’m pleased to discover that we got more benefits than we expected.
For those of you who don’t know, SAS 70 is an audit standard developed for service organizations by the American Institute of Certified Public Accountants. A SAS 70 audit is an in-depth examination of a firm’s information technology and processes, and companies obtain them to demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers.
Like most market research providers, C+R regularly receives confidential information from many of our clients. For clients in the financial services and healthcare industries, the confidentiality of customer information involves specific legal obligations, but clients in all industries are becoming more conscious of the importance of safeguarding customer data.
Many of us here at C+R cut our teeth handling information from young kids – we’ve been complying with the Children’s Online Privacy Protection Act (COPPA) since 2000, when we started our KidzEyes.com panel. So we were pretty confident that we knew what we were doing when it came to security and privacy issues.
And we were right, for the most part. When we dug in to the SAS 70 process, we discovered that we had the fundamentals solidly covered. What we didn’t have was systematic procedures for reviewing and improving our processes. And we hadn’t given enough thought to training, passing on knowledge and experience. And, most of all, we hadn’t focused enough on being able to backtrack along our own processes so we could prove that we had done what we intended to – or, should the dreaded day arrive, find the point when something went astray.
So, although I’m pleased that we can now share the results of a successful audit with our clients, I’m most pleased that we’ve given ourselves a better chance to stay on course in the future. That has turned out to be the real, and unexpected benefit of the SAS 70. It was well worth the time and money. And for all the work involved, I’d recommend it to others.