SAS 70, SSAE 16, SOC 2 and SOC 3 Data Center Standards

I just got off the phone with our data center auditors, UHY LLP, with an update on what’s going on in the world of SAS 70, SSAE 16, SOC 2 and SOC 3 auditing standards for data centers.

SAS 70 (Statement on Auditing Standards No. 70) has been around for nearly 20 years.  First released in 1992, it has been the gold standard for data center users to assure that their data center is secure and operating under proper control systems.  The problem with the SAS 70 standard according to the American Institute of CPAs (AICPA) is that SAS 70 was never designed to be used by service organizations that offer colocation, managed servers or cloud hosting services in this manner. It was focused on internal controls over financial reporting.

A SAS 70 audit only verifies that the controls and processes that the data center operator has in place are followed.  There is no minimum bar that the data center operator has to achieve and no benchmark to hold data center operators accountable to.  A data center with strong controls and processes can claim the same level of audit as a data center operator with weak controls and systems.  The only way a user can tell the difference is to read through the detailed audit report.

A prevalent misunderstanding about SAS 70 is that after completing a SAS 70 audit, a data center or other service organization becomes “SAS 70 Certified”.  No such official certification exists for SAS 70, so many service providers that have survived a SAS-70 audit have created their own logo, indicating the need for such certification by outside auditors.

Enter SSAE 16, SOC 2 and SOC 3 auditing standards.

SSAE 16 (Statements on Standards for Attestation Engagements No. 16) is the next generation of AICPA  standards for reporting on controls at service organizations (including data centers) in the United States.   SSAE 16 goes beyond SAS 70 by requiring the auditor to obtain a written assertion from management regarding the design and operating effectiveness of the controls being reviewed.  SSAE 16 also provides better alignment with the international audit standard ISAE 3402.

New Reporting Options

Under the new AICPA reporting standards, an audit that is conducted under SSAE 16 will result in a Service Organization Control (SOC) 1 report.  These reports are still focused on controls relevant to internal control over financial reporting.  In essence, a SOC 1 report will be the form of reporting once the SSAE 16 audit is complete.

As with the old SAS 70, SOC 1 reports will be available as Type 1 or Type 2 reports.   Type 1 reports present the auditors’ opinion regarding the accuracy and completeness of management’s description of the system or service as well as the suitability of the design of controls as of a specific date.  A Type 2 SOC 1 report includes the Type 1 criteria AND audits the operating effectiveness of the controls throughout a declared time period, generally between six months and one year.  Like SAS 70, there is no official SSAE 16 or SOC 1 certification.

SOC 2 and SOC 3 provide much more stringent audit requirements with a stronger set of controls and requirements specifically designed around data center service organizations.  SOC 2 and SOC 3 provide a standard benchmark by which two data center audits can be compared against the same set of criteria. In contrast to an SSAE-16 engagement, where the data center operator defines the criteria for an audit, the SOC 2 Report uses specifically pre-defined control  criteria related to 1) security, 2) availability, 3) processing integrity, 4) confidentiality or 5) privacy of a system and its information.

SOC 2 provides what was missing in the SAS 70 and SSAE 16 – a standard benchmark by which two data center audit reports can be compared and the reader can be assured that the same set of criteria was used to evaluate each.

SOC 3 reports provide the same level of assurance about controls over security, availability, processing integrity, confidentiality and/or privacy as a SOC 2 report, but the report is intended for general release and does not contain the detailed description of the testing performed by the auditor, but rather, a summary opinion regarding the effectiveness of the controls in place at the data center or service organization.

SOC 3 also meets the demand that high tier data center operators have been screaming for – Certification! Once the auditor is assured that the data center operator has achieved the trust services criteria, the company can display the SOC 3: SysTrust for Service Organizations seal.

SOC 3 Certified Data Center

SOC 3 Certification

While this seal still looks like it was designed by a CPA, it’s a huge step in the right direction.  (I’m guessing that unless the AICPA adds some marketing flair to the certification logo, companies will create their own logos that clients and users can more readily understand.)  Now, high quality colocation, cloud hosting and Software-as-a-Service (SaaS) providers have a standard and certification process they can adhere to. SOC 2 and SOC 3 provides data center users a high level of assurance that their data center is secure, highly available and operating under a consistent set of high integrity processes.

SOC 2 and SOC 3 – Welcome Standards to the Data Center Industry

SOC 2 and SOC 3 are welcome standards to our industry.  They will raise the bar for some, and allow others to shine under the stringent processes they are already running under.  Users will get what they’ve been looking for – a standard benchmark against which to compare data center operators.

High quality colocation, managed servers, cloud hosting and SaaS providers will get what they’ve been looking for – a certification process that provides their users a high level of assurance about the quality of their data center security, availability and process integrity.

You can read more detail on SSAE 16, SOC-2 and SOC-3 in the guest blog posted by our auditor, David Barton of UHY LLC – SOCs and SASs: The New Standards for Service Organization Controls Reporting.

UPDATE (3/27/2011) -  I recently read a white paper from a firm in Missouri that positions SOC-2 and SOC-3 as part of SSAE-16.   That wasn’t my understanding, and when I checked with our auditors, here is what they told me:

SOC 2 and SOC 3 reports are not part of SSAE 16.  SOC 2 and SOC 3 are conducted under AT 101.  There is no SSAE for these reports.  The chart below comes from the AICPA brochure regarding the new reporting standards:

SSAE 16 data center

Comparing SSAE16, SOC 2 & SOC3 standards for data centers

The entire report is available here:

http://www.aicpa.org/InterestAreas/InformationTechnology/Resources/TrustServices/DownloadableDocuments/10957-378%20SOC%20Whitepaper.pdf

Hope this helps.

facebooktwittergoogle_pluspinterestlinkedinmail
This entry was posted in Michigan Data Centers, SAS 70/SSAE 16/SOC and tagged , , , , , , , , . Bookmark the permalink.

4 Responses to SAS 70, SSAE 16, SOC 2 and SOC 3 Data Center Standards

  1. Hello Mike,
    I read your article earlier today titled “SAS 70, SSAE 16, SOC and Data Center Standards” on Data Center Knowledge regarding the transition from SAS 70 reports to the new SOC reports and I think the article does a good job explaining some of the marketplace confusion that was surrounding the issue as well as the reasons we’ve issued the new SOC report and what they are intended to be used for.

    I am writing to you because there was one point that I wanted to clarify and see if it was at all possible for you to revise or update the article for clarification.

    In the second paragraph you describe SAS 70 as being “First released in 1992, it has been the gold standard for data center users to assure that their data center is secure and operating under proper control systems. According to the American Institute of CPAs (AICPA), SAS 70 was never designed to be used by service organizations. It was focused on internal controls over financial reporting.”

    I think the phrase “in this manner” is missing at the end of “designed to be used by service organizations” – which changes the meaning of the sentence.

    In actuality, SAS 70 reports were never designed to be used by service organizations to market their systems (which you touch upon in the paragraph about organizations who would claim they are “SAS 70 certified). The primary purpose of these reports was to provide auditors of entities that use a service organization with information about the service organization’s system and assurance about controls over the system that are relevant to the user entities’ internal control over financial reporting. Such information and assurance is needed because certain controls at the service organization affect the quality of the information generated by the service organization, provided to the user entities, and incorporated in the user entities’ financial statements.

    Please let me know if it is possible for you to revise the article for clarification – because I think otherwise it does do an excellent job of addressing the marketplace confusion and why the SOC reports are so important.

    Thank you,
    James Schiavone
    Media Relations Specialist, Communications & Media Channels
    AICPA

  2. Pingback: SAS 70 is Dead ? Long Live SOC 2 and SOC 3 | Kastory

  3. Pingback: SAS 70 is Dead – Long Live SOC 2 and SOC 3

  4. Pingback: SAS 70 is Dead ? Long Live SOC 2 and SOC 3 - Cloud Hosting Comparison

Leave a Reply

Your email address will not be published. Required fields are marked *

*

* Copy This Password *

* Type Or Paste Password Here *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>