I just got off the phone with our data center auditors, UHY LLP, with an update on what’s going on in the world of SAS 70, SSAE 16, SOC 2 and SOC 3 auditing standards for data centers.
SAS 70 (Statement on Auditing Standards No. 70) has been around for nearly 20 years. First released in 1992, it has been the gold standard for data center users to assure that their data center is secure and operating under proper control systems. The problem with the SAS 70 standard according to the American Institute of CPAs (AICPA) is that SAS 70 was never designed to be used by service organizations that offer colocation, managed servers or cloud hosting services in this manner. It was focused on internal controls over financial reporting.
A SAS 70 audit only verifies that the controls and processes that the data center operator has in place are followed. There is no minimum bar that the data center operator has to achieve and no benchmark to hold data center operators accountable to. A data center with strong controls and processes can claim the same level of audit as a data center operator with weak controls and systems. The only way a user can tell the difference is to read through the detailed audit report.
A prevalent misunderstanding about SAS 70 is that after completing a SAS 70 audit, a data center or other service organization becomes “SAS 70 Certified”. No such official certification exists for SAS 70, so many service providers that have survived a SAS-70 audit have created their own logo, indicating the need for such certification by outside auditors.
Enter SSAE 16, SOC 2 and SOC 3 auditing standards.
SSAE 16 (Statements on Standards for Attestation Engagements No. 16) is the next generation of AICPA standards for reporting on controls at service organizations (including data centers) in the United States. SSAE 16 goes beyond SAS 70 by requiring the auditor to obtain a written assertion from management regarding the design and operating effectiveness of the controls being reviewed. SSAE 16 also provides better alignment with the international audit standard ISAE 3402.
New Reporting Options
Under the new AICPA reporting standards, an audit that is conducted under SSAE 16 will result in a Service Organization Control (SOC) 1 report. These reports are still focused on controls relevant to internal control over financial reporting. In essence, a SOC 1 report will be the form of reporting once the SSAE 16 audit is complete.
As with the old SAS 70, SOC 1 reports will be available as Type 1 or Type 2 reports. Type 1 reports present the auditors’ opinion regarding the accuracy and completeness of management’s description of the system or service as well as the suitability of the design of controls as of a specific date. A Type 2 SOC 1 report includes the Type 1 criteria AND audits the operating effectiveness of the controls throughout a declared time period, generally between six months and one year. Like SAS 70, there is no official SSAE 16 or SOC 1 certification.
SOC 2 and SOC 3 provide much more stringent audit requirements with a stronger set of controls and requirements specifically designed around data center service organizations. SOC 2 and SOC 3 provide a standard benchmark by which two data center audits can be compared against the same set of criteria. In contrast to an SSAE-16 engagement, where the data center operator defines the criteria for an audit, the SOC 2 Report uses specifically pre-defined control criteria related to 1) security, 2) availability, 3) processing integrity, 4) confidentiality or 5) privacy of a system and its information.
SOC 2 provides what was missing in the SAS 70 and SSAE 16 – a standard benchmark by which two data center audit reports can be compared and the reader can be assured that the same set of criteria was used to evaluate each.
SOC 3 reports provide the same level of assurance about controls over security, availability, processing integrity, confidentiality and/or privacy as a SOC 2 report, but the report is intended for general release and does not contain the detailed description of the testing performed by the auditor, but rather, a summary opinion regarding the effectiveness of the controls in place at the data center or service organization.
SOC 3 also meets the demand that high tier data center operators have been screaming for – Certification! Once the auditor is assured that the data center operator has achieved the trust services criteria, the company can display the SOC 3: SysTrust for Service Organizations seal.
While this seal still looks like it was designed by a CPA, it’s a huge step in the right direction. (I’m guessing that unless the AICPA adds some marketing flair to the certification logo, companies will create their own logos that clients and users can more readily understand.) Now, high quality colocation, cloud hosting and Software-as-a-Service (SaaS) providers have a standard and certification process they can adhere to. SOC 2 and SOC 3 provides data center users a high level of assurance that their data center is secure, highly available and operating under a consistent set of high integrity processes.
SOC 2 and SOC 3 – Welcome Standards to the Data Center Industry
SOC 2 and SOC 3 are welcome standards to our industry. They will raise the bar for some, and allow others to shine under the stringent processes they are already running under. Users will get what they’ve been looking for – a standard benchmark against which to compare data center operators.
High quality colocation, managed servers, cloud hosting and SaaS providers will get what they’ve been looking for – a certification process that provides their users a high level of assurance about the quality of their data center security, availability and process integrity.
You can read more detail on SSAE 16, SOC-2 and SOC-3 in the guest blog posted by our auditor, David Barton of UHY LLC – SOCs and SASs: The New Standards for Service Organization Controls Reporting.
UPDATE (3/27/2011) - I recently read a white paper from a firm in Missouri that positions SOC-2 and SOC-3 as part of SSAE-16. That wasn’t my understanding, and when I checked with our auditors, here is what they told me:
SOC 2 and SOC 3 reports are not part of SSAE 16. SOC 2 and SOC 3 are conducted under AT 101. There is no SSAE for these reports. The chart below comes from the AICPA brochure regarding the new reporting standards:
The entire report is available here:
Hope this helps.