Chris Schellman is the President of BrightLine, which is accredited as a CPA firm, PCI QSA Company, and ISO 27001 Registrar. He is a licensed CPA, CISSP and PCI QSA, and has contributed to nearly 1,000 SSAE 16 / SAS 70 examinations.
SSAE 16 is one of the most widely known tools for providing assurances to data center customers. It is demanded by customers and there is no substitute for it. And yet, a myth that the SSAE 16 standard is not applicable to the industry persists. As such, data center providers have no choice but to arm themselves with the following facts about SSAE 16 applicability.
The technical guidance for SSAE 16 has two major components, which are the SSAE 16 standard itself and the related guide titled “Service Organizations –Applying SSAE No. 16, Reporting on Controls at a Service Organization (SOC 1)”.
The very first paragraph of the SSAE 16 standard (PDF) states that it is applicable when reporting on “controls at organizations that provide services to user entities [i.e., customers] when those controls are likely to be relevant to user entities internal control over financial reporting.”
SSAE 16 Applies To Data Centers
Data centers, colocations and managed service providers (collectively “data centers”) that host systems relevant to their customers’ financial reporting are responsible for certain controls over those systems, such as physical and environmental security. Therefore, SSAE 16 is applicable to data center services according to the professional guidance. Period. End of story.
Furthermore, there is no basis for blanket statements that SSAE 16 is not applicable to data centers. The SSAE 16 guidance does not contain a special exclusion for the data center industry, or any other industry for that matter. On the contrary, every time the guidance touches on this topic, it provides more support for the applicability of SSAE 16.
For example, the SSAE 16 guide provides the following examples of service organizations that perform functions relevant to customers’ internal control over financial reporting – ISPs, Web hosting providers, and ASPs, including those that “provide services similar to traditional mainframe data center service bureaus”. (Ref. Par. 1.06)
If SSAE 16 is applicable to Web hosting providers, rest assured that it is applicable to data center providers. Before anyone claims that an “ASP” is not a data center, keep in mind that we are dealing with a decade-old catch-all definition poorly crafted by CPAs. It was never meant to be a technical definition. And despite being poorly written, the intent of clarifying the applicability of SSAE 16 to third party IT service providers is very clear.
SSAE 16 and General IT Controls
What about the claim that SSAE 16 should not be applied exclusively to general IT controls?
There simply is no technical support for such a claim when the underlying controls have a relevance to customers’ internal control over financial reporting. The SSAE 16 guide states that control objectives should “include general computer control objectives that are necessary to achieve the application control objectives […] and are therefore likely to be relevant to controls over financial reporting at user entities.” It then follows the statement with four pages of illustrative general IT control objectives such as information security, change management, and computer operations topics. (Ref. Par. 4.50)
It is also important to note that general IT control objectives for a typical service organization are the application control objectives for a data center. In other words, a data center’s services are, from an SSAE 16 perspective, the provision of IT general controls, whereas general IT controls are merely the supporting cast in other SSAE 16 examinations.
When “general computer control objectives” are the responsibility of a third party data center, a decision has to be made by the service organization as to whether it will include the data center’s services within the scope of its examination (the “inclusive” reporting method), or exclude them (the “carve-out” reporting method). Everyone agrees that this is the proper handling of data centers that host relevant systems. So if a data center’s services can be carved out of a service organization’s SSAE 16 examination, why can’t the data center be the subject of its own SSAE 16 examination? It is highly contradictory to believe that SSAE 16 can be applied to a data center in a subservice organizations role, but not as the actual service organization.
But isn’t SOC 2 the appropriate alternative to SSAE 16 (aka SOC 1) for data centers?
Although often misunderstood, SSAE 16 and SOC 2 have distinctly different purposes. SSAE 16 is meant to be used in conjunction with the financial statement audit of a service organization’s customers. SOC 2 examinations report on controls related to compliance with one or more the Trust Services Principles (i.e., security, availability, processing integrity, confidentiality and privacy).
The SOC 2 guide clarifies this when it states (emphasis added):
“A service organization’s controls may be relevant to a user entity’s internal control over financial reporting and also to the trust services principles. This guide is NOT intended to permit a SOC 2 report to be issued that combines reporting on a service organization’s controls relevant to user entities’ internal control over financial reporting with reporting on controls relevant to the trust services principles. A service organization may engage a service auditor to separately perform an engagement that addresses a service organization’s controls related to user entities’ internal control over financial reporting. If a service auditor is engaged to perform both a SOC 1 and SOC 2 engagement, certain testing performed in either engagement may provide evidence for the other engagement.” (Ref. Par. 1.23)
The Bottom Line
Translation: SOC 2 is not an alternative to SSAE 16. A data center may need to complete an SSAE 16 examination and an SOC 2 examination, but cannot use one as a substitute for the other. Besides, data centers’ customers, and especially their financial statements auditors, already understand that only an SSAE 16 report is appropriate for the purposes of the customers’ financial statement audits, as was the case with predecessor SAS 70 reports.
In the real world, customers are demanding ongoing SSAE 16 examinations from their data center providers. The leading providers of SSAE 16 examinations (i.e., BrightLine and the “Big 4” CPA firms) have considered these issues and continue to perform SSAE 16 examinations for data center providers. In fact, many data center providers have already announced the successful completion of SSAE 16 examinations.
In light of the evidence, it is clear that SSAE 16 is a valuable assurance standard for data centers and their customers.