A SAS 70 audit only verified that the controls and processes that the data center operator has in place were followed. There is no minimum bar that the data center operator has to achieve and no benchmark to hold data center operators accountable to. A data center with strong controls and processes can claim the same level of audit as a data center operator with weak controls and systems. The only way a user can tell the difference is to read through the detailed audit report.<\/p>\n
A prevalent misunderstanding about SAS 70 is that after completing a SAS 70 audit, a data center or other service organization becomes \u201cSAS 70 Certified.\u201d No such official certification exists for SAS 70, so many service providers that have survived a SAS-70 audit have created their own logo, indicating the need for such certification by outside auditors.<\/p>\n
<\/span>Enter SSAE 16, SOC 2 and SOC 3 auditing standards. <\/strong><\/span><\/h3>\n\nUpdate December 2017:<\/strong>\u00a0SSAE 16 has recently been replaced with SSAE 18. For more information about the new standard and resulting SOC 1 report, see our post by guest blogger David Barton of UHY LLP: SSAE 18 vs SSAE 16: Key differences in the new SOC 1 standard<\/a><\/p>\n<\/div>\nSSAE 16<\/a> (Statements on Standards for Attestation Engagements No. 16) is the next generation of AICPA standards for reporting on controls at service organizations (including data centers) in the United States. SSAE 16 goes beyond SAS 70 by requiring the auditor to obtain a written assertion from management regarding the design and operating effectiveness of the controls being reviewed. SSAE 16 also provides better alignment with the international audit standard ISAE 3402.<\/p>\nNew Reporting Options<\/strong><\/p>\nUnder the new AICPA reporting standards, an audit that is conducted under SSAE 16 will result in a Service Organization Control (SOC) 1 report. These reports are still focused on controls relevant to internal control over financial reporting. In essence, a SOC 1 report will be the form of reporting once the SSAE 16 audit is complete.<\/p>\n
As with the old SAS 70, SOC 1 reports will be available as Type 1 or Type 2 reports. Type 1 reports present the auditors\u2019 opinion regarding the accuracy and completeness of management\u2019s description of the system or service as well as the suitability of the design of controls as of a specific date. A Type 2 SOC 1 report includes the Type 1 criteria AND<\/em> audits the operating effectiveness of the controls throughout a declared time period, generally between six months and one year. Like SAS 70, there is no official SSAE 16 or SOC 1 certification.<\/p>\nSOC 2<\/a> and SOC 3<\/a> provide much more stringent audit requirements with a stronger set of controls and requirements specifically designed around data center service organizations. SOC 2<\/a> and SOC 3 provide a standard benchmark by which two data center audits can be compared against the same set of criteria. In contrast to an SSAE-16 engagement, where the data center operator defines the criteria for an audit, the SOC 2 report<\/a> uses specifically pre-defined control criteria related to 1) security, 2) availability, 3) processing integrity, 4) confidentiality or 5) privacy of a system and its information.<\/p>\nSOC 2 provides what was missing in the SAS 70 and SSAE 16<\/strong> – a standard benchmark by which two data center audit reports can be compared and the reader can be assured that the same set of criteria was used to evaluate each.<\/p>\nSOC 3 reports provide the same level of assurance about controls over security, availability, processing integrity, confidentiality and\/or privacy as a SOC 2 report, but the report is intended for general release and does not contain the detailed description of the testing performed by the auditor, but rather, a summary opinion regarding the effectiveness of the controls in place at the data center or service organization.<\/p>\n
SOC 3 <\/strong>also meets the demand that high tier data center operators have been screaming for \u2013 Certification!<\/strong> Once the auditor is assured that the data center operator has achieved the trust services criteria, the company can display the SOC 3: SysTrust for Service Organizations seal.<\/p>\n![\"SOC](\"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/SOC-3-Certified.jpg\" "\\"SOC")
<\/a>SOC 3 Certification<\/figcaption><\/figure>\nWhile this seal still looks like it was designed by a CPA, it\u2019s a huge step in the right direction. (I\u2019m guessing that unless the AICPA adds some marketing flair to the certification logo, companies will create their own logos that clients and users can more readily understand.) Now, high quality colocation, cloud hosting and Software-as-a-Service <\/a>(SaaS) providers have a standard and certification process they can adhere to. SOC 2 and SOC 3 provides data center users a high level of assurance that their data center is secure, highly available and operating under a consistent set of high integrity processes.<\/p>\n<\/span>SOC 2 and SOC 3 \u2013 Welcome Standards to the Data Center Industry<\/strong><\/span><\/h3>\nSOC 2 and SOC 3 are welcome standards to our industry. They will raise the bar for some, and allow others to shine under the stringent processes they are already running under. Users will get what they\u2019ve been looking for \u2013 a standard benchmark against which to compare data center operators.<\/p>\n
High quality colocation<\/a>, managed servers<\/a>, cloud hosting and SaaS providers will get what they\u2019ve been looking for \u2013 a certification process that provides their users a high level of assurance about the quality of their data center security, availability and process integrity.<\/p>\nYou can read more detail on SSAE 16, SOC-2 and SOC-3 in the guest blog posted by our auditor, David Barton of UHY LLC – SOCs and SASs: The New Standards for Service Organization Controls Reporting<\/a>.<\/p>\nUPDATE (3\/27\/2011) <\/strong>– I recently read a white paper from a firm in Missouri that positions SOC-2 and SOC-3 as part of SSAE-16. That wasn’t my understanding, and when I checked with our auditors, here is what they told me:<\/p>\nSOC 2 and SOC 3 reports are not part of SSAE 16. SOC 2 and SOC 3 are conducted under AT 101. There is no SSAE for these reports. The chart below comes from the AICPA brochure regarding the new reporting standards:<\/p>\n
![\"SSAE](\"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/SOC-new-standards-and-options-table-1.jpg\" "\\"SSAE")
<\/p>\n
The entire report is available here:<\/p>\n
https:\/\/www.aicpa.org\/InterestAreas\/InformationTechnology\/Resources\/TrustServices\/DownloadableDocuments\/10957-378%20SOC%20Whitepaper.pdf<\/a><\/p>\nHope this helps.<\/p>\n
<\/span>Additional resources<\/span><\/h2>\nGet more information about SAS 70, SSAE 16 and SOC from the following:<\/p>\n
SAS 70, SSAE 16, and SOC comparison:<\/a><\/em>
\nWhat\u2019s the difference between SAS 70, SSAE 16 and SOC? SAS 70 is the old standard that was never designed for certain service organizations that offer colocation… (Continue Reading)<\/a><\/p>\n SOC 1, SOC 2, SOC 3 report comparison:<\/a> <\/em>
\nIn April 2010, the AICPA (American Institute of Certified Public Accountants) announced the replacement of SAS 70 by a new and refined auditing standard, the Statement on Standards for Attestation Engagements or SSAE 16. While SAS 70 was originally…(Continue Reading)<\/a><\/p>\nWhat is a Service Organization Control (SOC) 2 Report?\u00a0<\/a><\/em>
\nIntroduced in 2011, Service Organization Control (SOC) reports are becoming more and more popular in data security and compliance discussions\u00a0with every passing year, especially SOC 2<\/a>\u00a0…\u00a0(Continue Reading)<\/a><\/p>\n
Update December 2017:<\/strong>\u00a0SSAE 16 has recently been replaced with SSAE 18. For more information about the new standard and resulting SOC 1 report, see our post by guest blogger David Barton of UHY LLP: SSAE 18 vs SSAE 16: Key differences in the new SOC 1 standard<\/a><\/p>\n<\/div>\n SSAE 16<\/a> (Statements on Standards for Attestation Engagements No. 16) is the next generation of AICPA standards for reporting on controls at service organizations (including data centers) in the United States. SSAE 16 goes beyond SAS 70 by requiring the auditor to obtain a written assertion from management regarding the design and operating effectiveness of the controls being reviewed. SSAE 16 also provides better alignment with the international audit standard ISAE 3402.<\/p>\n New Reporting Options<\/strong><\/p>\n Under the new AICPA reporting standards, an audit that is conducted under SSAE 16 will result in a Service Organization Control (SOC) 1 report. These reports are still focused on controls relevant to internal control over financial reporting. In essence, a SOC 1 report will be the form of reporting once the SSAE 16 audit is complete.<\/p>\n As with the old SAS 70, SOC 1 reports will be available as Type 1 or Type 2 reports. Type 1 reports present the auditors\u2019 opinion regarding the accuracy and completeness of management\u2019s description of the system or service as well as the suitability of the design of controls as of a specific date. A Type 2 SOC 1 report includes the Type 1 criteria AND<\/em> audits the operating effectiveness of the controls throughout a declared time period, generally between six months and one year. Like SAS 70, there is no official SSAE 16 or SOC 1 certification.<\/p>\n SOC 2<\/a> and SOC 3<\/a> provide much more stringent audit requirements with a stronger set of controls and requirements specifically designed around data center service organizations. SOC 2<\/a> and SOC 3 provide a standard benchmark by which two data center audits can be compared against the same set of criteria. In contrast to an SSAE-16 engagement, where the data center operator defines the criteria for an audit, the SOC 2 report<\/a> uses specifically pre-defined control criteria related to 1) security, 2) availability, 3) processing integrity, 4) confidentiality or 5) privacy of a system and its information.<\/p>\n SOC 2 provides what was missing in the SAS 70 and SSAE 16<\/strong> – a standard benchmark by which two data center audit reports can be compared and the reader can be assured that the same set of criteria was used to evaluate each.<\/p>\n SOC 3 reports provide the same level of assurance about controls over security, availability, processing integrity, confidentiality and\/or privacy as a SOC 2 report, but the report is intended for general release and does not contain the detailed description of the testing performed by the auditor, but rather, a summary opinion regarding the effectiveness of the controls in place at the data center or service organization.<\/p>\n SOC 3 <\/strong>also meets the demand that high tier data center operators have been screaming for \u2013 Certification!<\/strong> Once the auditor is assured that the data center operator has achieved the trust services criteria, the company can display the SOC 3: SysTrust for Service Organizations seal.<\/p>\n While this seal still looks like it was designed by a CPA, it\u2019s a huge step in the right direction. (I\u2019m guessing that unless the AICPA adds some marketing flair to the certification logo, companies will create their own logos that clients and users can more readily understand.) Now, high quality colocation, cloud hosting and Software-as-a-Service <\/a>(SaaS) providers have a standard and certification process they can adhere to. SOC 2 and SOC 3 provides data center users a high level of assurance that their data center is secure, highly available and operating under a consistent set of high integrity processes.<\/p>\n SOC 2 and SOC 3 are welcome standards to our industry. They will raise the bar for some, and allow others to shine under the stringent processes they are already running under. Users will get what they\u2019ve been looking for \u2013 a standard benchmark against which to compare data center operators.<\/p>\n High quality colocation<\/a>, managed servers<\/a>, cloud hosting and SaaS providers will get what they\u2019ve been looking for \u2013 a certification process that provides their users a high level of assurance about the quality of their data center security, availability and process integrity.<\/p>\n You can read more detail on SSAE 16, SOC-2 and SOC-3 in the guest blog posted by our auditor, David Barton of UHY LLC – SOCs and SASs: The New Standards for Service Organization Controls Reporting<\/a>.<\/p>\n UPDATE (3\/27\/2011) <\/strong>– I recently read a white paper from a firm in Missouri that positions SOC-2 and SOC-3 as part of SSAE-16. That wasn’t my understanding, and when I checked with our auditors, here is what they told me:<\/p>\n SOC 2 and SOC 3 reports are not part of SSAE 16. SOC 2 and SOC 3 are conducted under AT 101. There is no SSAE for these reports. The chart below comes from the AICPA brochure regarding the new reporting standards:<\/p>\n The entire report is available here:<\/p>\n https:\/\/www.aicpa.org\/InterestAreas\/InformationTechnology\/Resources\/TrustServices\/DownloadableDocuments\/10957-378%20SOC%20Whitepaper.pdf<\/a><\/p>\n Hope this helps.<\/p>\n Get more information about SAS 70, SSAE 16 and SOC from the following:<\/p>\n SAS 70, SSAE 16, and SOC comparison:<\/a><\/em> SOC 1, SOC 2, SOC 3 report comparison:<\/a> <\/em> What is a Service Organization Control (SOC) 2 Report?\u00a0<\/a><\/em><\/a><\/span>SOC 2 and SOC 3 \u2013 Welcome Standards to the Data Center Industry<\/strong><\/span><\/h3>\n
<\/p>\n<\/span>Additional resources<\/span><\/h2>\n
\nWhat\u2019s the difference between SAS 70, SSAE 16 and SOC? SAS 70 is the old standard that was never designed for certain service organizations that offer colocation… (Continue Reading)<\/a><\/p>\n
\nIn April 2010, the AICPA (American Institute of Certified Public Accountants) announced the replacement of SAS 70 by a new and refined auditing standard, the Statement on Standards for Attestation Engagements or SSAE 16. While SAS 70 was originally…(Continue Reading)<\/a><\/p>\n
\nIntroduced in 2011, Service Organization Control (SOC) reports are becoming more and more popular in data security and compliance discussions\u00a0with every passing year, especially SOC 2<\/a>\u00a0…\u00a0(Continue Reading)<\/a><\/p>\n