SAS 70, SSAE 16, SOC and Data Center Standards
March 3rd, 2011 By: Industry Perspectives
Mike Klein is president and COO of Online Tech, which provides colocation, managed servers and private cloud services.MIKE KLEIN
Recently, our data center auditors, UHY LLP, presented us with an update on what’s going on in the world of SAS 70, SSAE 16, SOC 2 and SOC 3 auditing standards for data centers. There is still a lot of confusion around these standards and they still seem to be evolving, so I’m writing this article with the effort to capture the status of these standards as succinctly as possible.
SAS 70 (Statement on Auditing Standards No. 70) has been around for nearly 20 years. First released in 1992, it has been the gold standard for data center users to assure that their data center is secure and operating under proper control systems. According to the American Institute of CPAs (AICPA), SAS 70 was never designed to be used by service organizations in this manner. It was focused on internal controls over financial reporting.
A SAS 70 audit verifies that the controls and processes that the data center operator has in place are followed. There is, however, no minimum bar that the data center operator has to achieve and no benchmark to which data center operators are held accountable. A data center with strong controls and processes can claim the same level of audit as a data center operator with weak controls and systems. You have to read through the detailed SAS 70 audit report to understand the level of controls and processes deployed and audited.
Something that irritates auditors to no end is how data center operators claim they are “SAS 70 Certified” after they’ve been audited. In fact, no such certification exists. Officially, data centers can only claim they are “SAS 70 Audited.”” However, the sheer number of service providers that have created their own SAS 70 “certification” logos indicates an unfulfilled need for such certification. Enter the new SSAE 16, SOC 2 and SOC 3 reporting standards.
New Reporting Options
SSAE 16 (Statements on Standards for Attestation Engagements No. 16) is the next generation of AICPA auditing standards for reporting on controls at service organizations (including data centers) in the United States. SSAE 16 goes beyond SAS 70 by requiring the auditor to obtain a written assertion from management regarding the design and operating effectiveness of the controls being reviewed. SSAE 16 also provides better alignment with the international audit standard ISAE 3402.
Under the new AICPA reporting standards, an audit that is conducted under SSAE 16 will result in a Service Organization Control (SOC) 1 report. These reports are still focused on controls relevant to internal control over financial reporting. In essence, a SOC 1 report will be the form of reporting for a completed SSAE 16 audit. As with SAS 70, SOC 1 reports are restricted use reports intended only for existing customers and their auditors, not prospective customers or the general public.
SOC 1 reports will be available as Type 1 or Type 2 reports, very similar to the current SAS 70 reporting options. Type 1 reports present the auditors’ opinion regarding the accuracy and completeness of management’s description of the system or service as well as the suitability of the design of controls as of a specific date. A Type 2 SOC 1 report includes the Type 1 criteria AND audits the operating effectiveness of the controls throughout a declared time period, generally between six months and one year. Like SAS 70, there is no official SSAE 16 or SOC 1 “certification.”
SOC 2 and SOC 3 Reporting
SOC 2 and SOC 3 provide much more stringent audit requirements than SSAE 16 with a stronger set of controls and requirements specifically designed around data center service organizations. SOC 2 and SOC 3 provide what was missing in the SAS 70 and SSAE 16 – a standard benchmark by which two data center audits can be compared against the same set of criteria.
In contrast to an SSAE-16 engagement, where the data center operator defines the criteria for an audit, AICPA Service Organization Control (SOC) 2 reports are intended to provide assurance about controls related to 1) security, 2) availability, 3) processing integrity, 4) confidentiality or 5) privacy of a system and its information. A SOC 2 report is based on pre-defined controls criteria contained in the AICPA Trust Services Principles and Criteria. These criteria have been developed by the AICPA for evaluating the design and operating effectiveness of controls at a data center or other service organization.
SOC 3 reports provide the same level of assurance about controls over security, availability, processing integrity, confidentiality and/or privacy as a SOC 2 report, but the report is intended for general release and does not contain the detailed description of the testing performed by the auditor, but rather, a summary opinion regarding the effectiveness of the controls in place at the data center or service organization.
SOC 3 also meets the certification demand that high tier data center operators have been seeking. Once the auditor is assured that the data center operator has achieved the trust services criteria, the company can display the SOC 3: SysTrust for Service Organizations seal.
While this seal still looks like it was designed by a CPA, it’s a huge step in the right direction. SOC 2 and SOC 3 provides data center users a high level of assurance that their data center is secure, highly available and operating under a consistent set of high integrity processes.
SOC 2 and SOC 3 – Welcome Standards to the Data Center Industry
SOC 2 and SOC 3 are welcome standards to our industry. They will raise the bar for some, and allow others to shine under the stringent processes they already have in place. Users will get what they’ve been seeking – a standard benchmark to use when comparing data center operators.
High quality colocation, managed server, cloud hosting and SaaS providers will get what they’ve been looking for – a certification process that provides their users a high level of assurance about the quality of their data center security, availability and process integrity.
Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.
It will be interesting to see how the migration from SAS 70 to the “correct” SOC framework takes root. Too many CPA firms are clinging to the new SSAE 16 standard, when in theory, companies such as data centers, managed services entities, Software as a Service (SaaS) providers SHOULD be looking at SOC 2 and SOC 3.
iMchael LandesmanPosted April 11th, 2011
Correction to Charles’ URL: http://www.ssae16.org
I think it is actually industry that needs to figure out which report they need. As a practitioner in the field, it is hard for me to convince service providers to pursue different types of reports (SOC 2 / 3) when they’re being asked for a SAS 70, now SSAE 16. Most outsourcing contracts these days have SAS 70 (SSAE 16) clauses in them. A $100 million service provider is not going to tell a Fortune 500 company what kind of report they are going to provide.
What I think it will take is for some of the larger data center service providers like Verizon, IBM, etc. to pursue SOC 2 and set the tone for the smaller guys in the industry. Until then, I expect more of the same with SSAE 16.
Chris BifonePosted June 8th, 2011
Great article. How does SSAE 16 (with a SOC 2/3 report) compare with the ISO27001 std/certification?
Great comments by all. Brian, I agree that the train is being driven by ill-informed user organizations that haven’t bothered to understand what is going on with the new standards. Service Organizations are providing what their customers are asking for.
As for ISO 27001, it is purely an information security certification so there is little value for a colo or cloud provider to spend the time and money to become ISO certified, unless of course the primary service is ISaaS (Information Security as a Service).
This is a great introduction to the Service Organization Control (SOC) reporting options. To provide further background and clarification, the AICPA has a website designated specifically for the purpose of introducing SOC. It is http://www.aicpa.org/SOC. This is the central and direct source for any updates or developments related to SOC.
Hedge Hog CPAPosted September 18th, 2011
Interesting to note that Online Tech still had an SSAE 16 examination performed of their data center services.