CIO Interview: Wild Oats' Jon Payne on Compliance, Outsourcing and the Value of SAS-70 Audits

By Debra D'Agostino  |  Posted 05-25-2006

When Jon Payne arrived at Wild Oats, in 2004, it was clear the organic food retailer, with $1.1 billion in 2005 revenues, needed a serious technology upgrade. "We are on a very fast growth curve—113 stores now and 10 opening each year—but we hadn't invested properly in IT," he says. Most in need of attention was the firm's data center, which "wasn't where a billion-dollar company should be." But the cost of managing a complex in-house upgrade was unrealistic, especially since the company had plans to move its headquarters from its space in Boulder, Colo., to a larger facility two miles away.

Outsourcing was the clear option, Payne says. What he didn't realize, however, was the importance of the SAS 70 audit, an international auditing standard created by the American Institute of Certified Public Accountants. The SEC accepts the SAS 70 as a means of certifying third-party vendors for regulations like the Sarbanes-Oxley Act. Senior Reporter Debra D'Agostino recently chatted with Payne about auditing third-party vendors. What follows is an edited transcript of his remarks.

CIO Insight: Why did you decide to outsource your data center?
Payne:
I was in the hosting business previously, and in this day and age I feel there's no reason to build your own data center. I looked at the cost of doing it ourselves versus outsourcing, and it was a no-brainer.

But finding a vendor wasn't as easy. First we addressed a number of screening issues. For one, the vendor had to fit our size and level of sophistication. We were still in the midst of building our processes and systems, so we didn't want to be the largest client with a small provider, but we also didn't want to be the smallest customer of a large one. VeriCenter ended up being the right fit for us. Plus, they had already done the SAS 70 audit before we considered them. That was significant because at that time we were going through the initial round of SOX compliance. The SAS 70 audit meant we didn't have to spend a lot of time on the compliance issues surrounding the data center.

Why is the SAS 70 audit so important?
It makes things much less complex. The audit looks at all the controls, who has access to the center, what the process is for gaining and denying access, how backups are performed, testing to make sure policies and procedures are working properly, things like that. Plus it means there are whole domains of knowledge I don't need to have. I don't have to worry about storage management, provisioning, monitoring, things like that. I can basically focus on managing the service-level agreement.

Still, you must have reviewed their audit to make sure the outsourcer's processes were adequate.
Absolutely. We did all the normal due diligence. VeriCenter showed us the audit documents, and we had our legal team and auditors review it. VeriCenter may have had to go through a few more steps to meet our requirements, like producing more documentation around a specific process, for example, but it was pretty trivial.

Was it more costly to go with a vendor that has performed the SAS 70?
If it was, the cost was minimal if anything. I don't think the other outsourcers we were looking at were less expensive necessarily. And to work with a vendor that hadn't gone through this process would have added several hundred hours of work to our staff, and that's an opportunity cost. We would have had to delay other projects or add staff to keep projects running. Then we would have had to go out to the outsourcer ourselves and do all the extensive interviews and testing to be sure that all the controls were in place. And of course, our audit fees would have been significantly higher.

So should CIOs insist on a SAS 70 audit for their outsourcing partners?
To be honest, when we started down this road, we underestimated the value a certified audit would have. It was fairly low on our list of criteria when we began looking at vendors. At the time, we didn't realize what we were going to have to do to meet the requirements of Sarbanes-Oxley. If I had to do it again, I would have made it a mandate, because it doesn't look like SOX requirements are going to lighten up any time soon. In fact, it looks like it's getting more and more complex. So we are glad to have this taken care of.