15 Jan

SAS 70 has been replaced by SSAE 16

What does that mean for service providers and their customers?

SAS 70 is the long-time audit standard that has been a “must” for service providers (data center operators, cloud providers, etc.) who have a need to test and validate their security controls. A SAS 70 compliancy rating has been the gold standard for data center users to gain assurance that their data center is secure and operating under proper control systems.

A SAS 70 audit verifies that the “defined” controls and processes that a service provider has implemented are followed. Note that I said the defined controls because a service provider with weak controls and processes can claim the same level of audit compliance as a service provider with strong controls and systems. So with a SAS 70 audit, one must thoroughly read through the details within the audit report to understand the level of controls and processes being used and audited.

Now, if you believe that you’ve mastered SAS 70 audits, I’m sorry to say that it has been superseded by the Statement on Standards for Attestation Engagements 16 (SSAE 16).  The good news is the information required to complete the SSAE 16 is not totally different from SAS 70 because the latter was the base from which SSAE 16 was built.


What is different?

The main difference between SAS 70 and SSAE 16 is the depth of information the service provider will now have to provide, including (among other things):

  • A management attestation of their overall service offering and underlying control structure
  • Verification that appropriate criteria are used for system evaluation
  • Evidence for every control during each assessment, rather than reusing prior evidence

The main reason SSAE 16 requires management attestation of its control structure is because SSAE 16 is an attest standard rather than an audit standard.  Instead of only the auditors opining on the controls within the service provider, its management is included in the assessment.  The idea is that the attestation process will hold management accountable with their statements on their company’s service delivery system, controls and control objectives. What’s more, SSAE 16 prohibits the use of prior evidence established in previous audits. By comparison, SAS 70 allows auditors to use evidence gathered in prior audits, which saved some companies a lot of time, but didn’t account for changes that could have impacted a data center’s security posture.


What Remains the Same?

SSAE 16, just like SAS 70, does not dictate the controls that must be covered by the assessment. It is for the service provider to decide which controls are essential to the services provided. The service provider must understand what industry control best practices are as well as what their customers’ auditors would consider to be essential controls to support the services being offered when determining the scope of the assessment.

From a provider’s perspective, a potential starting point for defining the scope of a SSAE 16 assessment would be to begin with their service contracts. The contractual obligations around the offered services would help draw the boundaries that define the systems and the controls that support the offering(s).

An SSAE 16 assessment should fulfill the requirements of a service provider’s clients, including publicly-traded clients, and it can save service providers time and resources in supporting a customer’s audit request.  SSAE 16 is an assessment a service provider completes only one time–providing the same assessment report to any customer’s auditor who requests it.

For more information on SSAE 16, you can visit:

AICPA – http://www.aicpa.org/Research/Standards/AuditAttest/Pages/SSAE.aspx

SSAE16.com – http://www.ssae-16.com/




Share this
13 Jan

Website is Live

 The right fit is important in both life and business. In our initial discovery phase, we track down solutions that are likely to work for you.

By taking a deep dive into your company’s strengths and weaknesses, we focus on designing sound solutions that serve your customer base and maximize efficiency. We examine your current market position and supporting process, desired growth trajectory, timeline and budgetary realities.

Share this
07 Jan

New SOC Reporting and Certification Options

Previously (SAS 70 has been replaced by SSAE 16.  What does that mean for service providers and their customers?) I outlined the similarities and differences between SAS 70 and SSAE 16 audits.  Now I will highlight the reporting options available with SSAE 16 and the additional auditing/reporting options the American Institute of CPAs (AICPA) developed for IT outsource services, e.g. data centers and cloud hosting providers.

SSAE 16 is the new audit standard for “Reporting on Controls at a Service Organization” (including data centers) within the United States.
SSAE offers three Service Organization Controls (SOC) reporting options: SOC 1, SOC 2 and SOC 3.  According to the AICPA the reporting options are “designed to help service organizations, organizations that operate information systems and provide information system services to other entities, build trust and confidence in their service delivery processes and controls through a report by an independent Certified Public Accountant.  Each type of SOC report is designed to help service organizations meet specific user needs.”

SOC 1 is known as the “Report on Controls at a Service Organization Relevant to User Entities’ Internal Controls over Financial Reporting.” In-essence, this is what SAS 70 was supposed to be — reporting on financial controls at a service organization as an auditor-to-auditor communication tool.  It was never intended to be a data center centric audit.

A SOC 1 report is the basic SSAE 16 report, just like SAS70, which issues either a Type 1 or Type 2 report. A Type 1 report is an auditor’s opinion on the accuracy and completeness of the service provider’s management description of the system or service including the appropriateness of the providers’ controls for a specific date in time. The Type 2 includes everything from a Type 1 report AND it verifies the effectiveness of the controls for a specified period of time; a calendar year, for example.

Ok, you just went through a SSAE16 audit and have a SOC1 report. So now you’re SSAE 16 or SOC 1 “certified, right?  No you’re not. Because, a service provider does not receive a certification after they have been SSAE16 audited.  So, don’t call yourself “Certified” (just yet …).

To address the need for a standard approach to auditing of non-financial controls (e.g. IT centric data center controls) and the need for a certification process, the AICPA created the SOC2 and SOC3 reporting standards.

SOC 2 – the “Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy” – is an audit of non-financial controls related to compliance and operations of a service provider. This report is used by a providers’ management, its customers and prospects, business partners and other organizations associated with a provider as a tool to assess the control environment of a service provider.

This report, as well as the SOC3, is built upon a set of pre-defined controls outlined within the AICPA Trust Services Principles and Criteria. The AICPA developed these criteria for evaluating the design and operating effectiveness of controls at a data center or other service organizations.  The AICPA defines the Trust Principles as five attributes of a reliable system as being:

  1. Security – The system is protected against unauthorized access (both physical and logical).
  2. Availability – The system is available for operation and use as committed or agreed.
  3.  Processing integrity – System processing is complete, accurate, timely, and authorized.
  4. Confidentiality – Information designated as confidential is protected as committed or agreed.
  5. Privacy – Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice and criteria set forth in Generally Accepted Privacy Principles issued jointly by the AICPA and the Canadian Institute of Chartered Accountants.

SOC 3 – the “Trust Services Report for Service Organizations” – is a general use report that can be distributed and promoted with the SOC 3 seal on the service organization’s website. It also reports on non-financial controls related to compliance and operations at a service organization listed under the SOC 2 description.

So, what’s the difference? Certification!

Now with a SOC3 report, data center and other cloud providers can say they are certified once an auditor issues the opinion that that the service provider has achieved the trust services criteria. Then and only then can the provider display the “SOC 3: SysTrust for Service Organizations” seal.

What the AICPA has delivered is a real win for both the service provider community and their customers. Both get clarity on control standardization. Moreover, the service provider receives a certification and the customers get what they’ve been seeking – a control benchmark to use when comparing data center operators and outsource service providers.


For more information about the:

Share this