Mike Klein is president and COO of Online Tech, which provides colocation, managed servers and private cloud services.
The story is a good one. SAS 70, the 20-year-old standard for data center audits had been twisted, used and abused in so many ways that a “SAS 70 Audit” stands for very little these days. The AICPA (American Institute of CPAs) had the right idea when they created 2 new standards – SSAE 16 to replace SAS 70 for internal financial audits and SOC 2 as an objective audit for data center operators.
Unfortunately on the way to the goal line, the AICPA didn’t just trip and fumble the ball, they conceded 90 yards in the wrong direction by creating a set of audit standards that confuse the intended audience and leave industry experts scratching their heads. The new audit reports, SSAE 16, SOC 1, SOC 2, and SOC 3, were meant to substantiate data center merits, but are leaving the entire market dazed and confused.
The Problems with SAS 70
Before we get into the newly created audit confusion, let’s start with SAS 70. SAS 70 (Statement on Auditing Standards number 70) was designed to focus on controls relevant to internal financial reporting. Data center users, desperate for some objective data center criteria, started specifying SAS 70 as a purchasing criterion and operators responded by contracting for SAS 70 audits. It wasn’t long before a number of service providers were claiming SAS 70 certification to validate their data centers.
The problem with SAS 70 is that there are no objective criteria for the audit. I’ve seen SAS 70 audit reports that range from as few as 11 to as many as 49 control objectives. Some operators have claimed a SAS 70 audit despite failing to meet several of their own audit criteria. Apparently, you can claim that you’ve been audited, even if you didn’t pass the audit.
As a result, any data center operator can design their own audit criteria, pay for an audit against those criteria and then claim “SAS 70” on their website. The end result is that a SAS 70 audit means nothing without reading the details of the audit report.
Introducing SSAE 16 and SOC 2
To address the abuse of the SAS 70 standard, the AICPA created a new standard to replace SAS 70 called SSAE 16 (Statement on Standards for Attestation Engagements No. 16) which requires the auditor to obtain a written assertion from management regarding the design and operating effectiveness of the controls being reviewed. The company can still have lax controls, but as long as management attests to those controls, they can claim they have been SSAE 16 audited. The quality of the controls and the results of the audit remain an exercise left to the reader of the report.
SSAE 16 is still focused on internal financial audits – and really wasn’t designed to provide an objective data center audit. The AICPA came up with another audit standard for service control organizations (such as colocation and cloud vendors) that promised to provide a standard benchmark by which two data center audit reports can be compared, assuring the reader that the same set of criteria was used to evaluate each. This audit is called SOC 2 (Service Organization Controls 2).
So far, so good - one audit to be used to attest to data center controls for financial audits, and another audit to compare data center service providers against an objective standard.
But Wait! There’s More. . .
But the AICPA couldn’t stop there. Rather than hire a marketing expert to help them with a clear, concise message (and better names than “SSAE 16” and “SOC 2” and an easier to recognize logo), they started tripping over their own underwear by adding more reports and audit types. Stay with me for a minute while I try to explain the confusing web the AICPA weaved.
- An SSAE 16 audit can also deliver a SOC 1 report. SOC 1 reports come in one of two types: Type 1 and Type 2.
- A SOC 2 audit can use up to 5 different objective control criteria related to 1) security, 2) availability, 3) processing integrity, 4) confidentiality or 5) privacy of a system and its information. The audited company decides which of these criteria they are being audited against, making it even more difficult for users to get to a single objective standard. SOC 2 reports come in one of two types: Type 1 and Type 2.
- A SOC 3 report is designed to provide the same level of assurance about the selected controls over security, availability, processing integrity, confidentiality and/or privacy as a SOC 2 report, but the report is intended for general release and does not contain the detailed description of the testing performed.
- The SOC 3, which is the overview of the SOC 2 report is the only report that has a public seal (which looks like something from NASA). So a company that pays for a detailed SOC 2 audit but doesn’t pay for the SOC 3 overview report can’t use the logo associated with the data center audits.
It’s no wonder that companies put out a confusing press release claiming they achieved “SSAE 16 SOC 2 Certification,” when, in fact, no such thing exists.
So in their effort to help the industry achieve an objective set of data center audit standards, the AICPA has subsequently set the industry back 20 years. Now service providers need to decide on and users need to sort through the swath of data center audit reports: SSAE 16 Type 1 & Type 2, SOC 1 Type 1 & Type 2, SOC 2 Type 1 & Type 2 with up to 5 different objective control criteria, and SOC 3 with 5 different criteria.
As any good marketer will tell you – too many options confuse the message and make it hard for the audience to understand. Online Tech has made a significant commitment to compliance and we decided to become an early adopter of these standards. We have completed our SSAE 16 (aka SOC 1), SOC 2 audits (both Type 2) and have the SOC 3 report available as well.
Despite the investment, I’ll admit that when we explain these audits to our clients, their eyes roll in the back of their heads and they walk away dazed and confused – negating all of the effort and money we spent on the new data center audits.
Back to the Future?
At the end of the day, our clients want simple, easy-to-understand standards that give them an objective seal of approval. The AICPA failed in this mission, and unless they move quickly to clear it up, I predict that the industry will settle on SSAE 16 as the de-facto “new” audit standard – and SSAE 16 will be used and abused in exactly the same way that SAS 70 was.
Unlike the PCI (Payment Card Industry) audit which is rigorous and prescriptive, SSAE 16 leaves us right back where we started – with non-objective data center audits that are a “checkbox” required by our clients.
How does a user compare two different audited data centers? For now, the burden rests on the buyer to sort out the good from the bad. Users need to ask for the audit report and read it. There is a wealth of information in the SSAE 16 and SOC 2 audit reports that detail how rigorous the data center operator is in defining and adhering to processes and procedures that protect their data.
As long as users only look for the SSAE 16 audit checkbox, operators will be tempted to use the least rigorous audit criteria to simply pass the audit.
Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.