Why SOC 1/SSAE 16 is Still the King of the Hill
May 1st, 2012 By: Industry Perspectives
Chris Schellman is the President and Founder of BrightLine, which is accredited as a CPA Firm, PCI QSA Company and ISO 27001 Registrar. He is a licensed CPA, CISSP, PCI QSA and ISO Lead Auditor, and has contributed to nearly 1,000 SOC examinations.CHRIS SCHELLMAN
When the American Institute of Certified Public Accountants (AICPA) released its Service Organization Controls (SOC) reporting structure in the latter half of 2011, some believed that the new SOC 2 concept would play a prominent role in data center reporting because of its focus on controls relevant to availability, confidentiality, processing integrity, security, and/or privacy using the prescriptive Trust Services Principles. In the several months that have followed, anecdotal evidence suggests that SOC 1, otherwise known as Statements on Standards for Attestation Engagements No. 16 (SSAE 16), the successor standard to SAS 70, remains the clear favorite of data centers and that SOC 2 has yet to gain any significant traction.
In leading BrightLine, a significantly large provider of SOC reporting services, I have the unique capability to monitor major trends in SOC reporting. I have observed that virtually every data center that previously underwent a SAS 70 audit has opted to continue with SOC 1 examinations. Some of these data centers elect to couple their SOC 1 examination with an SOC 2 examination, while almost none have elected to completely forego SOC 1 in favor of SOC 2.
In addition, I have noted that a recurring set of questions are being posed by data center providers. These questions, and the related answers, largely explain why SOC 1 / SSAE 16 remains so prevalent among hosting providers. As such, I would like to take an opportunity to share my personal views on these topics.
Are Data Centers Still Valid Candidates for SOC 1 Examinations?
Yes. Despite what you may have heard, there is currently no technical guidance prohibiting the application of SOC 1 to data centers so long as the data centers host systems relevant to user entities’ internal controls over financial reporting (ICFR).
Some people make the prima facie argument that hosting services have no obvious relevance to user entities’ ICFR, and thus, SOC 1 is not applicable to data centers’ services. A more detailed review of the appropriate guidance reveals that this argument is a subjective interpretation devoid of authoritative support. The AICPA’s SOC 1 guide directly contradicts this argument when it provides examples of valid candidates for SOC 1 examinations that, at first glance, are not obvious candidates for an SOC 1 examination. This list includes ISPs, Web hosting providers and ASPs, including those that “provide services similar to traditional mainframe data center service bureaus.” (Ref. Par. 1.06 of the SOC 1 guide) Obviously, hosting services would fit quite comfortably within the range of these examples.
If we were seeking personal opinions on this matter, AICPA webinars would be an excellent source. Interestingly enough, a panel of AICPA experts openly confirmed during a recent SOC reporting webinar that SOC 1 is applicable to data centers when applicability requirements are met, as seen on the lower right corner of this screen capture taken during the webinar.
Beyond the guidance and expert opinions, we should consider market trends. With major data center providers announcing completed SOC 1 examinations on a weekly basis, it is clear that the industry and the “Big 5” of SOC reporting (BrightLine + the “Big 4” global accounting firms) agree that SOC 1 can be applied to data centers. In other words, the debate about the applicability of SOC 1 to data centers is over.
Can Data Centers Use SOC 2 as a Substitute for SOC 1?
No. The first paragraph of the SSAE 16 standard states that the purpose of SOC 1 examinations is to report on “[…] controls at organizations that provide services to user entities when those controls are likely to be relevant to user entities’ internal control over financial reporting.” Paragraph 1.10 in the SOC 2 guide states that the purpose of SOC 2 is to “[…] report on a service organization’s controls other than those that are likely to be relevant to user entities’ internal control over financial reporting.” This purposeful “poison pill” confirms that hosting providers cannot use SOC 2 examinations as a substitute for SOC 1 examinations.
Further guidance is found in the SAS 70 standard, which is still very much alive and has been revised to provide guidance to user auditors (i.e., the financial statement auditors of user entities). Paragraph 24 of the revised standard requires that the user auditors obtain a “service auditor’s report on a service organization’s description of the controls that may be relevant to a user entity’s internal control as it relates to an audit of financial statements […]”. As previously noted, SOC 2 cannot report on ICFR topics and is, therefore, not a viable alternative to SOC 1 for such purposes.
Are SOC 2 Examinations “Better” or “More Appropriate” than SOC 1 for Data Centers?
No. There is absolutely nothing in the current guidance that supports the position that SOC 2 is “better” or “more appropriate” than SOC 1 for data center examinations. Both guides contain unambiguous applicability requirements. Data centers either meet the requirements for SOC 1 and/or SOC 2, or they do not. In the absence of new AICPA guidance, all claims to the contrary are personal opinion and should be treated as such.
Is It True that SOC 1 Does Not Address Logical Security, Physical Security and Processing Integrity Topics?
No. The notion that SOC 1 does not address security or processing integrity is one of the most common errors made by those unfamiliar with SOC reporting. This error often sources to a misconception that SOC 1 examinations opine on financial reporting controls. As I noted above, SOC 1 examinations actually report on controls likely to be relevant to user entities controls over their own financial reporting, of which security and processing integrity controls are highly relevant. In fact, the SOC 1 guide includes multiple examples of control objectives and illustrative controls related to logical security, physical security and processing integrity of transactional services. (Ref. Par. 3.63, 4.48 & illustrative reports of the SOC 1 guide, among many others)
Can Data Centers Undergo Both Types of Examinations?
Yes. SOC 1 and SOC 2 examinations are not mutually exclusive examinations. Data centers are often valid candidates for both SOC 1 and SOC 2 examinations. They are part of a small portion of the overall service organization population for which this is likely to be true and worthwhile.
Why is this the case? Because data centers normally host systems that are relevant to the ICFR of some customers and not for others. Therefore, the former will only accept an SOC 1 report for reasons described above, while the latter are not authorized users of an SOC 1 report and may not rely on it to obtain assurance on topics such as availability, confidentiality, processing integrity, security and/or privacy. So while nearly every data center that formerly underwent a SAS 70 examination is continuing with an SOC 1 examination in order to meet the needs of certain customers, many of those organizations are seeing value in coupling it with an SOC 2 examination for the benefit of customers that are not concerned with ICFR topics.
SOC 1/SSAE 16 Remains King of the Hill
While SOC 2 has potential, SOC 1 remains one of the most important assurance tools for hosting providers. Decision makers should recognize that data centers are often valid candidates for SOC 1 and SOC 2 examinations. Those providers considering either type of SOC examination should realize that it is never a matter of SOC 1 vs. SOC 2. The real decision is whether the organization should undergo an SOC 1 examination, and separately, whether the organization should undergo an SOC 2 examination. It is often advisable to engage a CPA firm with significant SOC reporting experience in these discussions. Such informed analysis may conclude that SOC 1, SOC 2, both, or neither, are appropriate for an organization’s particular circumstances.
Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.
It is very important to remember that SOC 1 / SSAE 16 is not designed to provide assurance regarding Security, Availability, Processing Integrity, Confidentiality or Privacy. The AICPA has been clear about this (see http://bit.ly/yO6bgc).
Data centers primarily need to provide their customers assurance regarding security and availability, so it is logical to choose SOC 2. Please refer to my blog post for more information on the subject: http://bit.ly/xoKKxT.
There may still be a place for SOC 1, but only in circumstances where the data center is responsible for controls that are relevant to their customer’s financial reporting.
[...] Also published on Data Center Knowledge at http://www.datacenterknowledge.com/archives/2012/05/01/why-soc-1ssae-16-is-still-the-king-of-the-hil… [...]
Interesting article – thanks for sharing your viewpoint.
Unfortunately, as an operator, this muddies the water even further. The AICPA has created a competing set of auditing standards and even the auditors can’t agree amongst themselves which standard to follow. That’s not much help.
Having read different SSAE 16 (SOC 1) reports from a number of data center operators, it’s clear to me that there is no objective standards by which an SSAE 16 (SOC 1) audit can be held to. I’ve seen audit reports with 8 control objectives and reports with 54 control objectives. SOC 2 was supposed to provide some objectivity.
What is clear to me:
- Users want an objective standard that tells them they are working with a high quality data center.
- Operators want a single objective standard that shows they are a high quality data center.
- Auditors and the AICPA have created a set of competing audit standards & can’t agree which audit to use
I agree that SSAE 16 (SOC 1) is still “king”, but that’s only because the auditing industry as made is so confusing that everyone is falling back to the lowest common denominator. Until the audit community gets their act together and speaks with a single common voice, neither users nor operators will get the solution that the industry is clamoring for.
Another AuditorPosted May 3rd, 2012
I used to agree with Chris – until reading a few new required PCAOB risk assessment points last year.
The new PCOAB’s issuer auditor risk assesements require applying the right amount of direct effort and methods to reduce the likelihood of missing a significant or material inaccuracy – as all audits should.
Examples of signficant financial statement inacccuracy problems issuers and their auditors would be unable to independently detect and correct before reporting inaccurately- would be hard to find. If the situation did exist, that lack of issuer detection and corrective controls prior to reporting – is itself the audit issue – regardless of a data center’s activities.
Also, if the reliance were that great, the PCAOB’s evidence requirements don’t allow the issuer auditor to rely on another service auditor’s report for an opinion anyway. Issuer auditors are only allowed to use service auditor reports as part of their risk assessments now. PCOAB evidence requirements expect issuer auditors to have some of their own direct evidence to do their own testing and conclusions (or supervise another firm) to be able to opine on signficant controls.
The interconnectedness and chasing of all of the auditing standards are a challenge to chase and apply. But, it helps to keep the core value and purpose for the reports front and center, and why recent standards changes have been made – to interpret the SOC branded reporting guidance in perspective with ASB-approved standards and/or the PCOAB’s requirements. AT 101 is the driver.
I’m still trying to figure out why data centers would want to sign off on financial statement reporting assertions risk.
In the end, customers want their greatest vendor risks audited and status reported well by competent auditors they can trust. If a report does that – it doesn’t matter what it is called – it’s delivered the value that was needed.
Thank you “Alternative Auditor” for the comments. AS 12 seems consistent with the article, although it doesn’t actually address the issue of service organizations. Anyone looking for the PCAOB’s guidance on that topic would want to review Appendix B of AS 5, which is the standard extensively referenced in AS 12.
I would take issue with the position that user auditors have to perform first hand testing procedures of service organizations and can’t rely on the work of service auditors. That would negate the entire purpose of SSAE 16. I can’t find anything in the standards that explicitly supports that point, not to mention that it would be widely known by now if it were true.
So while I do not agree with all of your points, I do agree that the user organizations and user auditors are largely responsible for determining whether data center services are relevant to their ICFR concerns and which type of evidence is most appropriate. This is why I have consistently argued that the nature of data center services leads to instances where SOC 1 and / or SOC 2 could be applicable. However, the fact remains that so long as user auditors deem data center services to be relevant to ICFR, SOC 2 / 3 reports cannot be used as a substitute for SOC 1. That does not contradict the other methods also available to the user organizations and user auditors as set forth in AS 5 and AS 12. They are always free to decide perform first hand testing in lieu of, or in addition to, the procedures contained within an SOC 1 examination.