In April 2010, the AICPA (American Institute of Certified Public Accountants) announced the replacement of SAS 70 by a new and refined auditing standard, the Statement on Standards for Attestation Engagements or SSAE 16. While SAS 70 was originally intended for financial and accounting auditing, the SSAE 16 audit was established to verify data center operational and security excellence.
- Oversight of the organization
- Vendor management programs
- Internal corporate governance and risk management processes
- Regulatory oversight
SOC 3 is for public use, and provides the highest level of certification and assurance of operational excellence that a data center can receive. A SOC 2 report includes auditor testing and results, while SOC 3 provides a system description and the auditor’s opinion.
For further clarification, see the chart below, comparing the details and use of each report type.
SOC 1, SOC 2, SOC 3 Report Comparison
Why is this important for data center users? Even AICPA agrees it’s more efficient and cost-effective for companies to outsource to data centers that provide cloud computing or managed security, since they already have the experienced personnel, expertise, equipment and technologies in place to accomplish the basics of data hosting and security.
To mitigate risks associated with outsourcing your data hosting infrastructure, the AICPA suggests comparing SOC reports from a variety of vendors to make an informed decision when trusting service organizations with the security of your company’s critical information.
Get more information about SOC 2 hosting and SOC 2 data centers, and read more about the differences between SAS 70, SSAE 16 and SOC.
Related Links
American Institute of CPAs (AICPA) – SOC Reports (formerly SAS 70 reports)
SAS 70 is Dead – Long Live SOC 2 and SOC 3
SOCs and SASs: The New Standards for Service Organization Controls Reporting
