The Assimilation of Marketing’s Service Quality Principles and the IT Auditing Process 


A Move Toward Quantifiable SAS 70 Auditing Service Quality, Part 2

Download Article Article in Digital Form

This article is the continuation of “The Assimilation of Marketing’s Service Quality Principles and the IT Auditing Process:  A Move Toward Quantifiable SAS 70 Auditing Service Quality, Part 1” (published in vol. 3, 2011), which suggests that broad quality auditing principles for organizations are realized through controlled processes and procedures. Increasingly, service businesses are finding that sustained profitability is related to delivering service quality. Delivering service quality seems to be a prerequisite for business success, or, at a minimum, a prerequisite for a business to stay afloat in an increasingly competitive market. Auditing procedures should deliver quality via processes that are defined, controlled, communicated and executed. Such processes contribute to the concept of continuous improvement.

However, to close the continuous improvement loop, W. Edwards Deming’s plan-do-check-act (PDCA) model suggests that all processes must be measured iteratively, and SERVQUAL has proved to be an accepted instrument for measuring service quality across several service industries. SERVQUAL is an objective instrument for measuring service quality from the customer judgment vantage point.

The purpose of this article is twofold: to describe the development of a multiple-item scale for measuring service quality and to discuss SERVQUAL properties and assimilation with Statement on Auditing Standards (SAS) No. 70 auditing services. This topic is of importance because of the distinct challenges associated with measuring service quality attributes, which are unlike physical products with tangible characteristics that lend themselves to some form of measurement such as dimensions, appearance, texture, packaging and color. Understanding and measuring services can be significantly more difficult than understanding and measuring tangible products. Services have no physical attributes to measure; thus, the essential nature of the service should be considered from the customer’s perspective.

SERVQUAL Assimilation Into SAS 70 Auditing

Because of the elusive and abstract nature of quality and services, there is no objective measure to assess service quality. In the absence of an objective measure, the customers’ perception of quality has been used as a measure to assess service quality.1 An obvious way of obtaining a better understanding of customers’ perceptions, needs and expectations is to ask them. However, prior to asking, it is useful to put some research into obtaining a view of an enterprise’s services from its customers’ perspective.

A. Parasuraman, Valarie A. Zeithaml and Leonard L. Berry defined service quality as a customer’s judgment regarding the firm’s excellence or superiority with emphasis on perceived quality as a defining factor of service quality.2 According to Sylvie Llosa, Jean- Louis Chandon and Chiara Orsingher, service quality is an attitude or belief that is the result of expectations and perceived performance.3 Customer assessment of service quality is often achieved by comparing the service that is actually experienced with the customer’s expectations.4 Alternatively stated, customers rate the quality of services by the gap between perceived and expected service.

Figure 1The Reliability, Assurance, Tangible, Empathy and Responsiveness (RATER) multidimensional model5 (figure 1) forms a structure of service quality sufficient for measuring SAS 70 service quality by using a performance and expectations gap with the SERVQUAL (22 items) scale. This model can be used to identify and assess customer expectations, to plan and improve services and to measure customer satisfaction.

SERVQUAL:  Reliability Dimension
Many businesses unwittingly use the terms “SAS 70 certified” or “SAS 70 compliant”; both terms are misnomers that, arguably, imply guarantees or the meeting of statutory or regulatory requirements. Specifically addressing this misnomer is central to the reliability dimension (service dependability and accuracy) of SERVQUAL. This begins with an understanding that a SAS 70 audit is only a guarantee that a third-party independent auditor was used to examine a company’s IT security controls and related processes with documented findings in a SAS 70 report. The SAS 70 audit report includes the auditor’s opinion or attestation statement issued to the service organization at the conclusion of a SAS 70 audit. This report is effectively an auditor-to-auditor communiqué between the service and user organization (the entity that has engaged a service organization—particularly if its financial statements are impacted by the services of the service organization).

The reliability of the SAS 70 report may lie in its not being complicit in the misuse of the report by some vendors using the report to support exaggerated marketing claims. Requests from service vendors to prepare SAS 70 reports for purposes that are outside the intended scope of the reports should be refused or avoided. SAS 70 reports were not intended to supplant good old-fashioned IT security due diligence on the part of service vendors, nor should it; only present-day observations are noted without indicating any forward-looking representations.

SERVQUAL:  Assurance Dimension
An old adage holds that people are judged by the company they keep. If one subscribes to this truism, audit firms are well served to surround themselves with people who share their ideals and values. Inspiring confidence and trust as it relates to the assurance dimension is about creating an organization of character that delivers on its commitments— an organization that is attuned to answering the needs of others and that is willing to go the extra mile to support its customers. Another way to engender confidence and trust is to utilize an organization that is known for exceptional products and services and that is respected or admired in the marketplace.

Beyond platitudes (i.e., “customers come first”) of the normal business rhetoric, earning trust is a journey achieved over time; customer trust is the most direct route to long-term success, as demonstrated time and time again by successful businesses. Inspiring trust is accomplished in small increments one customer at a time, improving a single process as needed. Bill Price and David Jaffe suggest checklists of things to do and not do when operating an interaction center and provide the right choices for customers at every point in the service process:6

  • On the web site, phone numbers should appear on every page. “Talk to someone” or “chat” buttons should be utilized, and a “contact us” button should be available to make it easy to send e-mails and should state how quickly customers should expect a response.
  • For interactive voice response phone menus or trees, web site alternatives should be clearly mentioned; the option to leave a callback number should be provided; and at any point, the caller should be able to hit 0 to reach an operator.
  • E-mails to customers should always provide an accompanying phone number, along with links to pages on the web site that can actually help explain the issue(s).
  • There should be branch operations that have phones for calling the contact center directly, self-service desks for information, and web-enabled personal computers (PCs) for direct self-service online. Make it easy to contact the enterprise, not difficult.
  • Eliminate “dumb” contacts and unnecessary repeated contacts through better processes and information.
  • Create engaging self-service so that customers can help themselves when possible.
  • Be proactive; do not wait for trouble.
  • Address and fix ownership of problems; do not assign blame to someone else.
  • Listen to the customers, and learn from their feedback and comments.
  • Assist customers when they need help.

According to Price and Jaffe, in general, people will not pay for services or purchase products if they do not trust the company or have confidence in its service.7 Customers will develop trust only if they judge that their interactions with a company are efficient and customer-oriented. Customer interaction is a dominant form of service offered by service companies, yet it is still a nascent discipline for most business people—with lots of unknown complications and unappreciated benefits.

SERVQUAL:  Tangible Dimension
For auditors, the tangible dimension is based largely on facility and staff appearance. Looking professional is essential to being respected and successful in business environments. Understanding what one’s attire is communicating and how best to represent oneself and one’s company during an audit engagement can influence customer perception.

A polished personal image is as important as an organization’s polished image. Proper business attire should be followed irrespective of age, gender or client. Queen Elizabeth II of England is reported to have said, “Dress gives one the outward sign from which people can judge the inward state of mind. One they can see, the other they cannot.” Expectations in dress may vary, but when in doubt, it is always best to dress slightly more formally than may be necessary. Overdressing may make a positive impression on your peers or superiors; underdressing may be perceived as lacking professionalism, savvy or competence.

SERVQUAL:  Empathy Dimension
Extending caring, individualized service is a critical element for success, as it is all about retention—keeping customers inside the loyalty loop as long as possible. Research indicates that improving retention rates can increase profitability.8

A SAS 70 audit should be a security awareness process that engages and educates the customer in ways to better secure the organization’s IT resources. A broad base of informed workers is a cost-effective way to mitigate security risks and better assist auditors. To bring about security awareness, auditors must be willing to relinquish a measure of control as they learn to facilitate risk reduction through effective communication. Once customers are empowered to realize that they have the resources and authority to better safeguard the organization’s information assets, their actions could respond accordingly. An essential part of developing security awareness is to engage the auditee and allow the auditor to experience a paradigm shift—in which auditors begin to comprehend the problems they unintentionally create by their mere presence. Such actions epitomize empathy while individualizing services to the customer’s vantage point.

SERVQUAL: Responsiveness Dimension
The responsiveness dimension examines an auditor’s willingness to help and respond to customer needs. Responsiveness encompasses an auditor’s objectivity; soft skills; and some general understanding of the social psychology of conducting a security audit and the need to understand the customer’s thoughts, feelings, behaviors and influences.

The human psychology of the audit client or customer (when collecting and evaluating evidence of an organization’s information systems, practices and operations) is often overlooked, with emphasis usually placed on the process and not the customer. Arguably, auditing is a human relationship business. As such, auditors should understand the social psychology or the people-side of auditing, beyond the standards, procedures and best practices. Clearly, it is important to understand the process of obtaining and evaluating evidence to determine whether an information system adequately safeguards assets and maintains data integrity while operating effectively and efficiently to achieve the organization’s goals and objectives.

However, understanding the social psychology of IT security auditing is as important as the auditing processes and procedures. Persuading audit clients to become more securityconscious may involve finding ways to overcome auditing anxiety by effectively communicating with customers and letting them know what they are expected to do and what the auditor is willfully doing to support their efforts to reasonably safeguard the organization’s information assets.9

SERVQUAL, A Methodology for Measuring Service Quality

As a way of trying to measure service quality, researchers developed SERVQUAL, a perceived service quality questionnaire survey methodology. SERVQUAL examines five dimensions of service quality:

  1. Reliability
  2. Assurance
  3. Tangible
  4. Empathy
  5. Responsiveness

For each dimension of service quality, SERVQUAL measures both the expectation and perception of the service on a scale of 1 to 7, with 22 questions in total. Each of the five dimensions is then weighted according to customer importance, and the score for each dimension is multiplied by the appropriate weighting.

Following this, the gap score for each dimension is calculated by subtracting the expectation score from the perception score. A negative gap score indicates that the actual service (the perceived score) was less than what was expected (the expectation score).

The gap score is a reliable indication of each of the five dimensions of service quality. Using SERVQUAL, service providers can obtain an indication of the level of quality of their service provision and highlight areas requiring improvement.

The Methodology
In this sample SERVQUAL survey, a SAS 70 audit firm is surveyed; however, any service organization can be surveyed using the provided template. All that needs to be done is to substitute the phrase “SAS 70 audit firm” with the particular organization or industry being surveyed. The steps for carrying out a SERVQUAL survey are:

  1. Select the SAS 70 audit firm whose service quality is to be assessed. Using the questionnaire (figures 2 and 3), obtain the score for each of the 22 expectation statements and then the score for each of the 22 perception statements. Calculate the gap score (perception minus expectation) for each of the statements (figure 4).
  2. Obtain an average gap score for each dimension of service quality by assessing the gap score for each of the statements that constitute the dimension and dividing the sum by the number of statements making up the dimension (figure 4).
  3. Sum the averages calculated in step 2, and divide by five to obtain an average SERVQUAL score. This score is the unweighted measure of service quality for the area being measured.
  4. For a weighted score, calculate the importance weight for each of the five dimensions of service quality constituting the SERVQUAL scale. The sum of the weights should add up to 100 (figure 5).
  5. Calculate the weighted average SERVQUAL score for each of the five dimensions of service quality by multiplying the averages calculated in step 2 by the weighted scores calculated in step 4 (figure 6).
  6. Sum the scores calculated in step 5 to obtain the weighted SERVQUAL score of service quality for the area being measured.

Figure 2

Figure 3

Figure 4

Figure 5

Figure 6

The survey is broken into two sections. In the first section (figure 2), respondents rank all SAS 70 audit firms according to the their expectations, i.e., what they expect all SAS 70 audit firms to provide. In the second section (figure 3), respondents rank the SAS 70 audit firm chosen for the survey according to their experiences and perceptions.


Since, unlike physical products, services are considered processes or performances with obscure or abstract characteristics, there is no objective measure to assess service quality.10 In the absence of an objective measure, customers’ perceptions of quality have been used as a measure to assess service quality across several industries including auditing.11 The multidimensional structure of service quality is perhaps best measured by using performance and expectations gaps as measured by a SERVQUAL scale, which uses five dimensions across a 22-item survey instrument. SERVQUAL is increasingly being used for measuring service quality12 because of its practical implication and its diagnostic nature for improving service quality.13 The SERVQUAL scale is a reliable and valid tool for measuring service quality of audit firms. Research findings indicate that the SERVQUAL scale consisting of five dimensions is reasonably satisfactory to measure perceived service quality of audit firms.

According to Z. Turk and Mutlu Yuksel Avcilar, assurance is the most important dimension of the service quality of audit firms, followed by reliability, responsiveness, empathy and tangibles.14 These findings indicate that customers are more concerned with the assurance, reliability and responsiveness dimensions in assessing the service quality of audit firms.

One could surmise that audit firms seeking long-term sustainability should strategically focus on employees’ knowledge, courtesy, ability to perform promised services dependably and accurately, and ability to help customers while providing services willfully in order to improve service quality.


1 Bamert, Thomas; Hans Peter Wehrli; “Service Quality as an Important Dimension of Brand Equity in Swiss Services Industries,” Managing Service Quality, vol. 15, issue 2, 2005
2 Parasuraman, A.; V.A. Zeithaml; L.L. Berry; “SERVQUAL: A Multiple-item Scale for Measuring Consumer Perceptions of Service Quality,” Journal of Retailing, vol. 64, issue 1, 1988
3 Llosa, Sylvie; Jean-Louis Chandon; Chiara Orsingher; “An Empirical Study of SERVQUAL’s Dimensionality,” The Service Industry Journal, vol. 18, issue 2, 1998
4 Donnelly, M.; M. Wisniewski; J.F. Dalrymple; A.C. Curry; “Measuring Service Quality in Local Government: The SERVQUAL Approach,” International Journal of Public Sector Management, vol. 8, issue 7, 1995
5 Op cit, Parasuraman, 1988
6 Price, Bill; David Jaffe; The Best Service Is No Service:  How to Liberate Your Customers From Customer Service, Keep Them Happy and Control Costs, USA, Jossey-Bass, 2008
7 Ibid.
8 Rust, Roland; Anthony Zahorik; “Customer Satisfaction, Customer Retention, and Market Share,” Journal of Retailing, vol. 69, number 2, Summer 1993
9 Bell, Thomas; “The Social Psychology of IT Security Auditing From the Auditee’s Vantage Point: Avoiding Cognitive Dissonance,” ISACA Journal, vol. 3, 2010
10 Lovelock, C.H.; Service Marketing, 2nd Edition, Prentice Hall International, USA, 1991
11 Op cit, Bamert, 2005
12 Cui, Charles Chi; Barbara R. Lewis; Won Park; “Service Quality Measurement in the Banking Sector in South Korea,” International Journal of Bank Marketing, vol. 21, issue 4, 2003
13 Zhou, Lianxi; “A Dimension-specific Analysis of Performance-only Measurement of Service Quality and Satisfaction in China’s Retail Banking,” Journal of Services Marketing, vol. 18, issue 7, 2004
14 Turk, Z.; Mutlu Yuksel Avcilar; “The Effects of Perceived Service Quality of Audit Firms on Satisfaction and Behavioural Intentions: A Research on the Istanbul Stock Exchange Listed Companies,” Research Journal of Business Management, vol. 3, issue 1, 2009

Thomas J. Bell III, Ph.D., CISA, PMP
is a professor of business administration in the School of Business at Texas Wesleyan University in Fort Worth, Texas, USA, and an IT security auditor for in Euless, Texas, USA. His IT auditing specialty is IT audits for small community banks (IT security audits and external penetration testing) and SAS 70 Type I and II audits.

Thomas Smith, Ph.D.
is a professor of marketing and mass communication in the School of Business at Texas Wesleyan University in Fort Worth, Texas, USA. His publications include articles about advertising theories and practices in addition to creative marketing. He also has decades of service marketing experience.

Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2011 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.