SAS 70 / SSAE 16 Issues & How to Fix Them

Add Your Comments

Brian J. Thomas, CISA, CISSP is an advisory partner for Weaver, an independent accounting firm in the Southwest with offices throughout Texas.

BRIAN THOMAS
Weaver

In the past, data centers received requests from customers to provide a SAS 70 report to obtain some level of assurance about the service provider’s internal procedures. SAS 70 was retired in June 2011 and data centers are now receiving requests from customers for its replacement, SSAE 16 (Statement on Standards for Attestation Engagements No. 16). The standards for both reports were developed by the American Institute of Certified Public Accountants (AICPA).

For data centers, the challenge associated with the use of SAS 70 and SSAE 16 is that both standards are focused on internal controls over financial reporting (ICFR) concerns. ICFR is crucial for corporations that must comply with Sarbanes-Oxley requirements. In most cases, however, ICFR is of limited concern for the services data centers provide for customers. With limited reporting options, data centers were somewhat stuck between a rock and a hard place.

Service Organization Controls

The AICPA recognized this issue and created a suite of reporting options for service providers called Service Organization Controls (SOC) reports, which coincided with the transition to SSAE 16. SOC reports are designed to give service providers options for providing more relevant assurance reports to their customers.

SOC 1 is based on SSAE 16 and, like its predecessor SAS 70, focuses on ICFR. SOC 1 is most relevant to data centers whose services are relevant to customers’ ICFR needs.

The SOC 2 and SOC 3 reports are based on the AICPA’s Trust Principles:

  • Security: Physical and logical measures deter unauthorized access.
  • Availability: System’s use and operations are available, as specified.
  • Processing Integrity: System processing is accurate, authorized, complete and timely.
  • Confidentiality: Information deemed confidential is protected.
  • Privacy: Information is collected, handled and disposed of in accordance with AICPA Generally Accepted Privacy Principles (GAPP).

SOC 3 is a general use report that only includes an auditor’s opinion on whether or not a service organization’s system achieved the Trust Services criteria. SOC 3 does not include supporting details, and is most useful for marketing purposes.

SOC 2, though, should be very useful for fulfilling the audit requirements for data center customers. Most data center service providers recognize that Security, Availability, Processing Integrity, Confidentiality, and Privacy as concepts are much more relevant to the services they provide than ICFR. The SOC 2 report includes a description of the data center’s system, and the auditor’s opinion on the fairness of the description and the suitability of the design. The report also includes a description of the tests performed by the service auditor, and the test results.

SOC 2’s scope can include any combination of the Trust Services Principles. For example, a colocation facility may decide that Security is the only principle that aligns with the services they provide. However, a managed hosting provider may decide that the Security, Availability, and Confidentiality principles are relevant.

With New Reports, Confusion Created

While the various SOC reporting options enable data centers to provide more relevant assurance reports, the newness and variety of those report options is also creating confusion in the marketplace.

Today, data center customers often request an SSAE 16 (SOC 1) report because they are accustomed to receiving a SAS 70 from their data center service provider. In addition, the number of reporting options and the various Trust Services principles combinations possible for a SOC 2 report may create confusion for customers.

The new options require data centers to re-examine their objectives with the third-party assurance they are seeking to provide. Data center service providers should consult with their auditors early and discuss the key objectives and various options available with critical customers and their auditors. This process will likely require numerous iterative explanations and education with customers.

The benefit, however, is that through this process data centers can help ensure the third-party assurance that they give to customers is relevant to the services being provided and not just a “check-the-box” requirement.

Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.

Add Your Comments

  • (will not be published)