Everyone knows there’s a new sheriff in town when it comes to reporting on security controls for data centers. Last year, the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) replaced the outdated Statement on Auditing Standards No.70 (SAS 70 Type II). So, how is SSAE 16 different from SAS 70, and what makes it better for data centers?

Traditionally, service organizations working toward standardized and compliant security controls would publish an audit to report on operating effectiveness every six months. Colocation customers rely on these reports to demonstrate their data center provider meets regulations and shows proof of compliance for Sarbanes-Oxley, PCI, etc.

As is true with any “changing of the guards,” data center providers must learn to articulate the differences between the standards and what it means to our customers.

Problems with SAS 70

The problems with SAS 70 arise from discrepancies in audit scope and analysis procedures, the qualifications of the auditors, and loose interpretations of the final report. Also, the audit was not specifically designed to focus on information systems frameworks, especially complex infrastructures.

For a fresh approach and to keep pace with evolving accounting standards, the Auditing Standards Board of the American Institute of Certified Public Accountants released SSAE 16 in 2010, which officially replaced SAS 70 in summer of 2011.

Key Attributes of SSAE 16

  • Attestation – The new standard is not an audit, but an attestation. “Audit” is reserved for accounting purposes and financial statements.
  • Description of System – Service providers must now describe the entire system instead of only controls. System is described in an online SSAE 16 resource guide as “the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization’s core activities that are relevant to user entities.” The time period in which all components of the system are reported on is the same.
  • Management Assertion – The new standard requires a written assertion by the service organization’s management to the CPA firm conducting the SSAE 16 process. This includes a description of the system, the suitability of the design, operating effectiveness and application of controls.
  • Subservice Organizations – Organizations who use other service providers to perform some or all work within the system are now required to include them in the description of the system. This is handled in one of two ways. The first includes a description of the control objectives of the subservice provider in the description of the system. The other excludes the controls but demonstrates the monitoring of their effectiveness.

What Does this Mean for Data Center Customers?

Increased accountability for your service provider. By reviewing the controls in place AND the effectiveness of the controls, your service provider must be accountable for how they use the tools at their disposal.

It’s one thing to have sophisticated software to monitor data center access, but it’s another to prove you can effectively use it when needed and that you have contingencies for a disruptive event.

Secondly, the attestation is not a comparative rating, but when making a leasing decision, it can be a beneficial aid. If allowed, a business may review the attestation to determine whether a data center’s processes and competency are sufficient to meet its needs.

For example, if you were to encounter an inconsistency in a colocation provider’s security protocols, and security is of tantamount importance to your organization, you can pass for another who can reliably provide for those needs.

SSAE 16 Disclaimer

Many data centers claim to be SSAE 16 certified, which is not correct. SSAE 16 is not a certification. It’s an attestation as of a specific date. Service providers should not represent themselves as SSAE 16 “certified” or SSAE 16 “compliant. They should say they are compliant with SSAE 16.

4 comments

  1. Holly,

    You forgot to tell them that SSAE16 is not designed to provide assurance regarding security, availability, processing integrity, confidentiality, or privacy! That’s the most important thing! Datacenters need to provide that assurance to their customers, and the AICPA is telling us loud and clear that SSAE16 is not designed to do that. If you need that, you need a SOC2. Please see my blog post: http://bit.ly/yFbuu3. You can also find my blog by typing “Risk Assurance Guy” into Google.

  2. Holly – glad to see that the data center service provider community is beginning to educate its customers on the subject of SOC reporting. I agree with Jon’s post though, SOC 2 is ultimately the best reporting option for a data center (vs. SSAE 16 aka SOC 1) because the objectives of the report align much more neatly with what a data center does. SSAE 16 (aka SOC 1) will not rectify the problems data centers previously had with SAS 70.

  3. It would be simpler to reference just the AICPA’s AT 101 Attestation Standard, now that SAS 70 is gone. Every attestation report choice requires compliance with the AT 101 Standard.

    Also, the SSAE 16 engagement with a SOC 1 report format are mandatory for customer financial statement reporting objectives. However, most data centers do not agree contractually to be responsible for any customer’s financial statement reporting risks nor would they select financial statement reporting objectives. A company unable to detect that their accounts do not balance or have fraud issues without the help of a data center…has a lot more to worry about.

    An AT 101 Type 1 or 2 project’s report choice is voluntary, and can be a:
    – customized AT 101 report, which provides the same flexibility as the prior SAS 70 did. Therefore, where the data center can choose a preferred and appropriate internal control frameworks of value to the data centers’ customers (i.e., an industry-appropriate and well-defined criteria, with a mix of other appropriate frameworks/criteria, and customer contract/SLA compliance and policy process requirements as are appropriate to serve their customer needs). For example, ISO is referenced by the AICPA’s Trust Services Principles (TSP 100), as an appropriate criteria for the 5th Principle – Security.

    – standardized SOC 2/3 reports, provide a more biolerplate approach, and requires the use of at least one of the AICPA’s 5 Trust Services Principles (Availability, Integrity, Confidentiality, Privacy, and Security). Each selected Principle also mandates underlying criteria. For instance, the Privacy Principle requires choosing as a minimum scope, at least 1 of the service provider’s privacy policy commitments for compliance examination.

    SOC 2-3 are not AICPA standards; but voluntary standard-ized (biolerplate) report format options with a brand mark promotion, which also must conform to the AT 101 Attestation Standard.

    Those who were accustomed to and prefer reviewing the quality of in a SAS 70 effort via the report, would ont want a SOC 3 report, as it has only a brief opinion letter without reporting an internal controls description or the nature of the tests performed.

  4. Hello,

    Can you please comment on SAS 70 Type II? Is Type II still relevant, or has SSAE 16 replaced it as well?

    Thank you,

    Darren.

Comments are closed.