Software-as-a-service and Sarbox: Good match?

You've probably heard a lot about the rise of software-as-a-service as a model that more companies, big and small, are embracing. Clearly, the notion of paying for software services, hosted elsewhere, on an as-you-go basis makes a lot of sense. Does it offer any advantages from a compliance standpoint? Treb Ryan, CEO of OpSource, noted at a recent conference the software-as-a-service model can be a big benefit in compliance if the service is already "compliant" from a Sarbanes-Oxley, or HIPAA or regulatory perspective. OpSource, which provides a platform for software companies to deliver services, notes that its service has completed a rigorous audit known as a type II SAS 70, which basically validates that the service is compliant. So the marketing point is that if software-as-a-service (SAS 70-audited anyway) for critical functions can still deliver the benefits and perhaps even save you a few compliance headaches. More software-as-a-service providers will likely start touting this.

For more:
- here's an article from Infoworld (scroll down for Ryan's comments)