One privately held SaaS company, Intacct, claims to have received SAS 70 (Statement on Auditing Standards No. 70) Type II Service Auditors' Report certification, from Grant Thornton, a leading independent auditor. Intacct does on-demand ERP. CEO Robert Jurkowski says his company is the only SaaS ERP vendor to pass SAS 70.

Under Section 404 of Sox, most companies are required to have an SAS 70 report from their service providers to evaluate controls, operations, datacenters, security, backup, and system availability. I asked Jurkowski what it means to be certified. 'It means our processes and ability to support them and make them auditable are in alignment with a public company's Sox audit,' he said.

If you remember the old days, when you had to be sure you were using a No. 2 pencil or they wouldn't let you take the SATs, basically that's what an SAS 70 report is, as far as I can tell. The online provider must be that No. 2 pencil. It doesn't say how you will do on the test, but it does say you have the right equipment to take it.

If you are considering an SaaS solution for a department, a division, or the whole company, due diligence requires that you make sure the online solution provider you plan to use has SAS 70 or similar certification. Finding one that does, however, might be easier said than done.