Why Data Centers Need SSAE 16

Chris Schellman is the President of BrightLine, which is accredited as a CPA firm, PCI QSA Company, and ISO 27001 Registrar. He is a licensed CPA, CISSP and PCI QSA, and has contributed to nearly 1,000 SSAE 16 / SAS 70 examinations.

Christopher_Schellman_BrightLineCHRIS SCHELLMAN

SSAE 16 is one of the most widely known tools for providing assurances to data center customers. It is demanded by customers and there is no substitute for it. And yet, a myth that the SSAE 16 standard is not applicable to the industry persists. As such, data center providers have no choice but to arm themselves with the following facts about SSAE 16 applicability.

The technical guidance for SSAE 16 has two major components, which are the SSAE 16 standard itself and the related guide titled “Service Organizations –Applying SSAE No. 16, Reporting on Controls at a Service Organization (SOC 1)”.

The very first paragraph of the SSAE 16 standard (PDF) states that it is applicable when reporting on “controls at organizations that provide services to user entities [i.e., customers] when those controls are likely to be relevant to user entities internal control over financial reporting.”

SSAE 16 Applies To Data Centers

Data centers, colocations and managed service providers (collectively “data centers”) that host systems relevant to their customers’ financial reporting are responsible for certain controls over those systems, such as physical and environmental security. Therefore, SSAE 16 is applicable to data center services according to the professional guidance. Period. End of story.

Furthermore, there is no basis for blanket statements that SSAE 16 is not applicable to data centers. The SSAE 16 guidance does not contain a special exclusion for the data center industry, or any other industry for that matter. On the contrary, every time the guidance touches on this topic, it provides more support for the applicability of SSAE 16.

For example, the SSAE 16 guide provides the following examples of service organizations that perform functions relevant to customers’ internal control over financial reporting – ISPs, Web hosting providers, and ASPs, including those that “provide services similar to traditional mainframe data center service bureaus”. (Ref. Par. 1.06)

If SSAE 16 is applicable to Web hosting providers, rest assured that it is applicable to data center providers. Before anyone claims that an “ASP” is not a data center, keep in mind that we are dealing with a decade-old catch-all definition poorly crafted by CPAs. It was never meant to be a technical definition. And despite being poorly written, the intent of clarifying the applicability of SSAE 16 to third party IT service providers is very clear.

SSAE 16 and General IT Controls

What about the claim that SSAE 16 should not be applied exclusively to general IT controls?

There simply is no technical support for such a claim when the underlying controls have a relevance to customers’ internal control over financial reporting. The SSAE 16 guide states that control objectives should “include general computer control objectives that are necessary to achieve the application control objectives […] and are therefore likely to be relevant to controls over financial reporting at user entities.” It then follows the statement with four pages of illustrative general IT control objectives such as information security, change management, and computer operations topics. (Ref. Par. 4.50)

It is also important to note that general IT control objectives for a typical service organization are the application control objectives for a data center. In other words, a data center’s services are, from an SSAE 16 perspective, the provision of IT general controls, whereas general IT controls are merely the supporting cast in other SSAE 16 examinations.

When “general computer control objectives” are the responsibility of a third party data center, a decision has to be made by the service organization as to whether it will include the data center’s services within the scope of its examination (the “inclusive” reporting method), or exclude them (the “carve-out” reporting method). Everyone agrees that this is the proper handling of data centers that host relevant systems. So if a data center’s services can be carved out of a service organization’s SSAE 16 examination, why can’t the data center be the subject of its own SSAE 16 examination? It is highly contradictory to believe that SSAE 16 can be applied to a data center in a subservice organizations role, but not as the actual service organization.

But isn’t SOC 2 the appropriate alternative to SSAE 16 (aka SOC 1) for data centers?

Absolutely not.

Although often misunderstood, SSAE 16 and SOC 2 have distinctly different purposes. SSAE 16 is meant to be used in conjunction with the financial statement audit of a service organization’s customers. SOC 2 examinations report on controls related to compliance with one or more the Trust Services Principles (i.e., security, availability, processing integrity, confidentiality and privacy).

The SOC 2 guide clarifies this when it states (emphasis added):

“A service organization’s controls may be relevant to a user entity’s internal control over financial reporting and also to the trust services principles. This guide is NOT intended to permit a SOC 2 report to be issued that combines reporting on a service organization’s controls relevant to user entities’ internal control over financial reporting with reporting on controls relevant to the trust services principles. A service organization may engage a service auditor to separately perform an engagement that addresses a service organization’s controls related to user entities’ internal control over financial reporting. If a service auditor is engaged to perform both a SOC 1 and SOC 2 engagement, certain testing performed in either engagement may provide evidence for the other engagement.” (Ref. Par. 1.23)

The Bottom Line

Translation: SOC 2 is not an alternative to SSAE 16. A data center may need to complete an SSAE 16 examination and an SOC 2 examination, but cannot use one as a substitute for the other. Besides, data centers’ customers, and especially their financial statements auditors, already understand that only an SSAE 16 report is appropriate for the purposes of the customers’ financial statement audits, as was the case with predecessor SAS 70 reports.

In the real world, customers are demanding ongoing SSAE 16 examinations from their data center providers. The leading providers of SSAE 16 examinations (i.e., BrightLine and the “Big 4” CPA firms) have considered these issues and continue to perform SSAE 16 examinations for data center providers. In fact, many data center providers have already announced the successful completion of SSAE 16 examinations.

In light of the evidence, it is clear that SSAE 16 is a valuable assurance standard for data centers and their customers.

Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.

Add Your Comments

  • (will not be published)


  1. kevin

    Great article, straight to th epoint.Would alos love to remind of the value of a good reporting tool in dat centers.We have been using FastReport.Net at our center and it really helped u swhen we needed help.

  2. Great post clarifying the purposes of SSAE 16 and SOC 2 - I think a lot of people are still confused, and I've even seen arguments that data center operators don't need SSAE 16 at all. Thanks for sharing.

  3. David

    Thanks for the good post. But one question, so for SOC1, only ICOFR related controls should be included and tested, such as physical and environmental control? Of course this depends on what financial reporting related control has been outsourced by data center service user. Currently there are so many controls in SAS70 seem not relevant to ICOFR? Thanks!! :)

  4. General IT controls are considered internal controls relevant to financial reporting. If your financial systems are hosted at a data center with no doors and no roof, it could have a very negative impact on your ability to prepare financials. Where the AICPA probably erred, IMHO, was in requiring the Trust Services Principles to be the basis for SOC 2. A far better approach would have been to make SOC 2 the equivalent of SOC 1 but for non-ICFR topics. That would have allowed the service organizations to customize their control objectives. As it stands, SOC 2 examinations are clunky and awkward because service organizations have to work within the domain of static set of principles that the AICPA thinks is relevant. We don't have defined control objectives for SOC 1. I wish they would have used that model for SOC 2. Of course, an AT 101 examination would achieve my desired result, but that option is getting the marketing backing of the SOC reporting options.

  5. Frank Bob

    Chris-Can a cloud company seek SSAE16 certification if they aren't processing financial data?

  6. Chris Schellman

    There is no requirement that the service organization process financial data to be a candidate for an SSAE 16 examination (e.g., data centers). The purpose of SSAE 16 is to "report on controls at organizations that provide services to user entities when those controls are likely to be relevant to user entities' internal control over financial reporting." If the cloud provider provides such services, they are a candidate for an SSAE 16 examination.

  7. MLS

    I'm looking at SOC2 for my company, a SaaS provider, and need to understand to what degree software product functions are in-scope, especially under the "Processing" (integrity) domain. Our service is a type of 'front end' for an existing customer system. I believe the focus for us would be on operational controls (such as access controls, encryption, source code management, configuration management) of our environment rather than features of the software product itself, especially since most of the processing is done at the back end. Any initial thoughts?

  8. Interesting question. It would be best answered offline. Please feel free to submit it here (https://www.brightline.com/contactus) and we will be happy to respond to you. Thanks!

  9. Fred Hutchings

    Regulations and "standards" are the truly single largest growth industry in the US and lots and lots of people are making money of of it. Of course, to keep things growing, "standards" have to be expanded and applied to a broader set of businesses, units of businesses and technical areas. This little article is a prime example of all of this.

  10. Graeme Slattery

    Does SSAE-16 have relevance outside the USA and if so - why. Particularly in the Australian environment.

  11. Linda Rocco

    The weakness here is how to determine if a control is considered as an ICFR. I fail to see how and why would typical colo DC services would be relevant for financial reporting purposes.