Armanino Blog

3 Things Every SaaS Company Needs to Do, and 3 Ways to Stand Out

by Dean Quiambao
May 08, 2020

While the economic impact of the global COVID-19 pandemic is not fully known yet, there are already signs that companies are looking for SaaS solutions — many for the first time — in order to shore up resources and restructure their operations to adapt to this “new normal.” Now, perhaps more than ever before, is the time for SaaS providers to ensure they are ready to meet the coming market demand for their products.

Here are some things every SaaS provider needs to achieve, and a few that will differentiate you from the rest of the competition.

  1. Third-Party Assurance/Vendor Risk Management
    Data is sacred, and clients want assurance that their SaaS provider is protecting it with effective and secure third-party control and risk management. This is such a critical issue for companies that there are now industry-recognized certifications, such as the Standardized Information Gathering (SIG) questionnaire and the Standardized Control Assessment (SCA) that can tell a company if a SaaS provider meets the requirements to secure their data.
  2. SOC 1 or SOC 2 Audit
    This is another compliance “must have” that SaaS providers need in order to demonstrate having a strong control environment. The SOC 1 audit reports on controls at a service organization relevant to a user entity’s internal control over financial report, while a SOC 2 reports on controls at a service organization relevant to security, availability, processing integrity, confidentiality or privacy. Having a SOC 1 and SOC 2 Report certifies that a third party has tested a provider’s control — providing assurance to clients.
  3. Government Mandated Privacy Compliance
    While consumer privacy controls are already a best practice, it now a legal requirement in some of the largest markets in the world. The California Consumer Privacy Act (CCPA), Europe’s General Data Protection Regulation (GDPR) and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) are the most well-known and grant significant rights to data subjects. SaaS providers that are in violation of these laws face the danger of major fines. It’s simply impossible to do business with clients in these markets without compliance with these rules.

These are all the minimum basics every SaaS provider must achieve to seamlessly do business with middle-market and large customers. But, it’s the next-level SaaS providers that get the competitive advantage. Those who don’t just meet the market, but who anticipate the certifications that provide peace of mind create more opportunities.

  1. Demonstrate Cybersecurity
    Providers should consider a SOC Report for cybersecurity, a difference maker in the market. Even if data is properly handled and privacy controls exist, the risk of cyberattack is real. It’s a growing threat, with the number of cyberattacks doubling in just the past half-decade.
    And cybersecurity is more than just network security, it’s also incident management, employee education and physical device monitoring. It requires regular penetration testing and vigilance. While criminals only need to succeed once, providers have to succeed in defending against every attack. Having a validated cybersecurity infrastructure demonstrates to clients that they can rest assured when engaging their SaaS provider.
  2. Supply Chain Controls
    The majority of companies looking for SaaS providers, particularly when it’s an enterprise resource planning solution, derive a significant amount of their value in their salable inventory. Their assets are precious, and so having supply chain controls is paramount to protecting customers’ value.
    This is true for a variety of industries from life sciences or consumer electronics all the way to food and beverage — almost any potential customer is involved in the sale of tangible goods. And everything that touches the production process, to sales pipeline from suppliers to service providers is a part of a complicated supply chain.
    One weak link can cost millions if it breaks. SaaS providers that can help a customer achieve optimal controls relevant to security, availability, processing integrity, confidentiality or privacy in production, manufacturing or distribution are going to have a marketable feature that demonstrates an interest in customer safety and success.
  3. ISO 27001 Certification
    As the only internationally-accepted standard for information security governance, the ISO 27001 certification is being sought after by companies at an exponential rate. Multinational corporations headquartered in the United States already require proof of ISO 27001 certification of their approved vendors — including SaaS providers. It’s a seal of approval that assures companies that it’s safe to do business because it shows a prioritization on information security.
    The standard is set by the International Organization for Standardization and the International Electrotechnical Commission, which demand a rigorous assessment and testing of an organization’s leadership, planning, support, operation, performance evaluation, improvement and more.

For the latest regulatory changes and other information on keeping your organization running through disruption, visit our COVID 19 Resource Center.

May 08, 2020

Stay In Touch

Sign up to stay up-to-date with the latest accounting regulations, best practices, industry news and technology insights to run your business.

Related News & Insights
SaaS Market Trends
Between the uncertainty of 2022 and the highs of 2021, what will 2023 hold?

December 14, 2022 | 09:00 AM - 10:00 AM PT
Fraud: Current Trends & Hot Topics
Don’t let fraud negatively impact your organization.

December 8, 2022 | 11:00 AM - 12:00 PM PT
Year-End Tax Planning for High-Net-Worth Individuals
Optimize your tax position before December 31.

December 8, 2022 | 09:00 AM - 10:00 AM PT