AICPA Fumbles Audit Standards at the 5-Yard Line
January 19th, 2012 By: Industry Perspectives
Mike Klein is president and COO of Online Tech, which provides colocation, managed servers and private cloud services.MIKE KLEIN
The story is a good one. SAS 70, the 20-year-old standard for data center audits had been twisted, used and abused in so many ways that a “SAS 70 Audit” stands for very little these days. The AICPA (American Institute of CPAs) had the right idea when they created 2 new standards – SSAE 16 to replace SAS 70 for internal financial audits and SOC 2 as an objective audit for data center operators.
Unfortunately on the way to the goal line, the AICPA didn’t just trip and fumble the ball, they conceded 90 yards in the wrong direction by creating a set of audit standards that confuse the intended audience and leave industry experts scratching their heads. The new audit reports, SSAE 16, SOC 1, SOC 2, and SOC 3, were meant to substantiate data center merits, but are leaving the entire market dazed and confused.
The Problems with SAS 70
Before we get into the newly created audit confusion, let’s start with SAS 70. SAS 70 (Statement on Auditing Standards number 70) was designed to focus on controls relevant to internal financial reporting. Data center users, desperate for some objective data center criteria, started specifying SAS 70 as a purchasing criterion and operators responded by contracting for SAS 70 audits. It wasn’t long before a number of service providers were claiming SAS 70 certification to validate their data centers.
The problem with SAS 70 is that there are no objective criteria for the audit. I’ve seen SAS 70 audit reports that range from as few as 11 to as many as 49 control objectives. Some operators have claimed a SAS 70 audit despite failing to meet several of their own audit criteria. Apparently, you can claim that you’ve been audited, even if you didn’t pass the audit.
As a result, any data center operator can design their own audit criteria, pay for an audit against those criteria and then claim “SAS 70” on their website. The end result is that a SAS 70 audit means nothing without reading the details of the audit report.
Introducing SSAE 16 and SOC 2
To address the abuse of the SAS 70 standard, the AICPA created a new standard to replace SAS 70 called SSAE 16 (Statement on Standards for Attestation Engagements No. 16) which requires the auditor to obtain a written assertion from management regarding the design and operating effectiveness of the controls being reviewed. The company can still have lax controls, but as long as management attests to those controls, they can claim they have been SSAE 16 audited. The quality of the controls and the results of the audit remain an exercise left to the reader of the report.
SSAE 16 is still focused on internal financial audits – and really wasn’t designed to provide an objective data center audit. The AICPA came up with another audit standard for service control organizations (such as colocation and cloud vendors) that promised to provide a standard benchmark by which two data center audit reports can be compared, assuring the reader that the same set of criteria was used to evaluate each. This audit is called SOC 2 (Service Organization Controls 2).
So far, so good – one audit to be used to attest to data center controls for financial audits, and another audit to compare data center service providers against an objective standard.
But Wait! There’s More. . .
But the AICPA couldn’t stop there. Rather than hire a marketing expert to help them with a clear, concise message (and better names than “SSAE 16” and “SOC 2” and an easier to recognize logo), they started tripping over their own underwear by adding more reports and audit types. Stay with me for a minute while I try to explain the confusing web the AICPA weaved.
- An SSAE 16 audit can also deliver a SOC 1 report. SOC 1 reports come in one of two types: Type 1 and Type 2.
- A SOC 2 audit can use up to 5 different objective control criteria related to 1) security, 2) availability, 3) processing integrity, 4) confidentiality or 5) privacy of a system and its information. The audited company decides which of these criteria they are being audited against, making it even more difficult for users to get to a single objective standard. SOC 2 reports come in one of two types: Type 1 and Type 2.
- A SOC 3 report is designed to provide the same level of assurance about the selected controls over security, availability, processing integrity, confidentiality and/or privacy as a SOC 2 report, but the report is intended for general release and does not contain the detailed description of the testing performed.
- The SOC 3, which is the overview of the SOC 2 report is the only report that has a public seal (which looks like something from NASA). So a company that pays for a detailed SOC 2 audit but doesn’t pay for the SOC 3 overview report can’t use the logo associated with the data center audits.
It’s no wonder that companies put out a confusing press release claiming they achieved “SSAE 16 SOC 2 Certification,” when, in fact, no such thing exists.
So in their effort to help the industry achieve an objective set of data center audit standards, the AICPA has subsequently set the industry back 20 years. Now service providers need to decide on and users need to sort through the swath of data center audit reports: SSAE 16 Type 1 & Type 2, SOC 1 Type 1 & Type 2, SOC 2 Type 1 & Type 2 with up to 5 different objective control criteria, and SOC 3 with 5 different criteria.
As any good marketer will tell you – too many options confuse the message and make it hard for the audience to understand. Online Tech has made a significant commitment to compliance and we decided to become an early adopter of these standards. We have completed our SSAE 16 (aka SOC 1), SOC 2 audits (both Type 2) and have the SOC 3 report available as well.
Despite the investment, I’ll admit that when we explain these audits to our clients, their eyes roll in the back of their heads and they walk away dazed and confused – negating all of the effort and money we spent on the new data center audits.
Back to the Future?
At the end of the day, our clients want simple, easy-to-understand standards that give them an objective seal of approval. The AICPA failed in this mission, and unless they move quickly to clear it up, I predict that the industry will settle on SSAE 16 as the de-facto “new” audit standard – and SSAE 16 will be used and abused in exactly the same way that SAS 70 was.
Unlike the PCI (Payment Card Industry) audit which is rigorous and prescriptive, SSAE 16 leaves us right back where we started – with non-objective data center audits that are a “checkbox” required by our clients.
How does a user compare two different audited data centers? For now, the burden rests on the buyer to sort out the good from the bad. Users need to ask for the audit report and read it. There is a wealth of information in the SSAE 16 and SOC 2 audit reports that detail how rigorous the data center operator is in defining and adhering to processes and procedures that protect their data.
As long as users only look for the SSAE 16 audit checkbox, operators will be tempted to use the least rigorous audit criteria to simply pass the audit.
Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.
Hedge HogPosted January 19th, 2012
Although the article has several substantial inaccuracies about the purpose and use of SAS 70 audits & SOC 1-3, the premise that the AICPA bumbled in a massive way is correct. Unfortunately, the “B team” seems to have been in charge of the development of SOC 2…and the guide was never released as an exposure draft for public comment. The resulting SOC 2 guidance is a painful muddled mess. If only they had allowed SOC 2 to be the equivalent of SOC 1 for non-financial reporting related topics, all would be right with the world. Instead, companies must now choose between the free form SOC 1 standard that can be customized to specific services or the pre-defined mess of Trust Services principles and criteria that is SOC 2. So as the author claims, service organizations are opting to push the limits of SOC 1 rather than subject themselves to SOC 2′s often redundant and irrelevant criteria. I don’t blame them one bit. SOC 2 is, without a doubt, the most disappointing guidance related to internal controls ever released by the AICPA.
[...] of critics. In a new editorial, Online Tech COO and President Mike Klein forked out a operation of potential problems with SSAE 16, alleging that a customary has set behind a review attention by 20 years. Klein’s association [...]
Well said. Kudos for having the courage to speak the truth.
philAPosted January 19th, 2012
fwhite42Posted January 20th, 2012
Agree with what the author is saying here, and absolutely agree that the standards have become more confusing, not less, and could actually open the door for more deceptive practices from providers than the old model.
Side note, Cbeyond corrected their press release: http://www.cbeyond.net/press-releases/details/article/635157
James StewartPosted January 20th, 2012
Great editorial on audit standards – or lack thereof. Particularly on what SAS 70 really amounts to. Thanks for putting it in clear language for all to see and reference.
[...] of critics. In a recent editorial, Online Tech COO and President Mike Klein pointed out a range of potential problems with SSAE 16, alleging that the standard has set back the audit industry by 20 years. Klein’s company focuses [...]
[...] certifications SSAE/SOC des datacenter : Mike Klein, President et COO de Online Tech, décrypte le fouillis et la fantaisie de ces certifications pourtant brandies par bon nombre de prestataires internationaux … Lire aussi En Bref …En Bref [...]
ob1knbPosted January 26th, 2012
There is quite a bit of confusion promoted in the article. This should help clear it up: http://www.schrammassurance.com/wp-content/uploads/2012/01/11-Schramm-SAS70-to-AT101-KLv4.pdf
In the reports reviewed by my clients, the surprise is in the number of SOC 1 and SSAE 16-labeled reports with financial reporting assertions from service provider executives of IT services, but without a financial reporting objective or control – as is required for these AICPA reports. But, there is likely to be a year of education.
Regardless of the alphabet soup confusion, the value of the report comes down to whether or not the report is:
2) covers the risks of greatest need to the reader; and
3) controls were tested in a way and extent adequate for the reader’s needs.
Good to see the correction to SOC 2.
CW PostPosted January 29th, 2012
EXCELLENT ! This is an important wake up call to the industry. I’ve been a CPA for over 30 years. Over the years I have been accustomed to lay folks having misconceptions about how some accounting and auditing principals work, but this mess is a disaster. Not only are we seeing widespread misconception about SSAE16 with Service Providers advertising “SAS 70 Compliant” or “SSAE 16 Certified” on their websites, but there seems to be no effort by the public auditors to correct their own clients. There is a webcast on SOC1, 2 and 3 on Feb 1., for details go to cpa2biz.com/AST/Main/CPA2BIZ_Primary/AuditAttest/Standards/StandardsImplementationGuidance.