We’re in the final vigil for SAS 70. The oxygen has been brought out and the last rites are being given, and while a few data centers are scrambling to get a SAS 70 audit before the bell tolls, on June 15, 2011, SAS 70 will be dead. Auditors will no longer conduct SAS 70 audits or issue SAS 70 audit reports, as the AICPA (American Institute of CPAs) switches to SSAE 16 and SOC 2/SOC3 reporting.
Long Live SOC. SAS 70 was never designed to be used by service organizations that offer colocation, managed servers or cloud hosting services. It was focused on internal controls used for financial reporting. But because SAS 70 was the only data center auditing standard available, end users required SAS 70 and data center operators hired CPAs to conduct SAS 70 audits as the gold standard for data center operation. But that was the past.
Starting June 15th, the new gold standard for data center operators will be Service Organization Control (SOC) 2 and SOC 3 audit reports. Rather than audit against a set of controls that the data center operator designates, SOC 2 and SOC 3 have much more stringent audit requirements and a stronger set of controls specifically designed around data center service organizations. I wrote a more detailed explanation of SAS 70, SSAE 16, SOC 2 and SOC 3 recently, but here’s the low down:
SOC 2 and SOC 3 also provide a standard benchmark by which two data center audits can be compared against each other. In contrast to an SAS 70 (and the newer SSAE-16 audit), where the data center operator defines the criteria for an audit, the SOC 2 Report uses specifically pre-defined control criteria related to 1) security, 2) availability, 3) processing integrity, 4) confidentiality or 5) privacy of a system and its information.
There seems to be some confusion about SSAE 16 compared to SOC 2 and SOC 3 audit reports. Under the new AICPA reporting standards, an audit conducted under SSAE 16 will only result in an SOC 1 report. Like SAS 70, SSAE 16 and SOC 1 reports will only focus on internal control over financial reporting and provide no standards or benchmarks around the quality of the data center operations like SOC 2 & SOC 3 provide.
In essence, SOC 2 & SOC 3 raise the bar for data center operators. High quality colocation, managed server and cloud hosting providers will shine under these new stringent audits that reflect processes and controls that they are likely already running under. Others will choose a lower bar – either trying to slip their SAS 70 in under the wire to buy time, or only auditing to the SSAE 16 standard where they can set the bar so they can meet it.
SAS 70 is dead, long live SOC 2 and SOC 3 data center auditing…
… and let the data center auditing games begin!
Update: SAS 70 reports only on controls related to financial reporting. If you need assurance of controls directly related to data centers, including privacy, security and availability, look for a SOC 2 report.
SAS 70 was replaced by SSAE 16 in June 2011.