{"id":1526,"date":"2011-04-13T00:00:00","date_gmt":"2011-04-13T00:00:00","guid":{"rendered":"http:\/\/otava.test\/sas-70-is-dead-long-live-soc-2-soc-3\/"},"modified":"2011-04-13T00:00:00","modified_gmt":"2011-04-13T00:00:00","slug":"sas-70-is-dead-long-live-soc-2-soc-3","status":"publish","type":"post","link":"https:\/\/www.otava.com\/blog\/sas-70-is-dead-long-live-soc-2-soc-3\/","title":{"rendered":"SAS 70 is Dead \u2013 Long Live SOC 2 and SOC 3"},"content":{"rendered":"

We\u2019re in the final vigil for SAS 70. The oxygen has been brought out and the last rites are being given, and while a few data centers are scrambling to get a SAS\u00a0 70 audit before the bell tolls, on June 15, 2011, SAS 70 will be dead.\u00a0 Auditors will no longer conduct SAS 70 audits or issue SAS 70 audit reports, as the AICPA (American Institute of CPAs) switches to SSAE 16<\/a> and SOC 2\/SOC3 reporting.<\/p>\n

Long Live SOC.\u00a0 SAS 70 was never designed to be used by service organizations that offer colocation<\/a>, managed servers or cloud hosting services<\/a>. It was focused on internal controls used for financial reporting.\u00a0 But because SAS 70 was the only data center auditing standard available, end users required SAS 70 and data center operators hired CPAs to conduct SAS 70 audits as the gold standard for data center operation. But that was the past.<\/p>\n

Starting June 15th<\/sup>, the new gold standard for data center operators will be Service Organization Control (SOC) 2 and SOC 3 audit reports.\u00a0\u00a0 Rather than audit against a set of controls that the data center operator designates, SOC 2 and SOC 3 have much more stringent audit requirements and a stronger set of controls specifically designed around data center service organizations. I wrote a more detailed explanation of SAS 70, SSAE 16, SOC 2 and SOC 3 <\/a>recently, but here’s the low down:<\/p>\n

SOC 2 and SOC 3 also provide a standard benchmark by which two data center audits can be compared against each other. In contrast to an SAS 70 (and the newer SSAE-16 \u00a0audit), where the data center operator defines the criteria for an audit, the SOC 2 Report uses specifically pre-defined control \u00a0criteria related to 1) security, 2) availability, 3) processing integrity, 4) confidentiality or 5) privacy of a system and its information.<\/p>\n

There seems to be some confusion about SSAE 16 compared to SOC 2 and SOC 3 audit reports. Under the new AICPA reporting standards, an audit conducted under SSAE 16 will only result in an SOC 1 report.\u00a0 Like SAS 70, SSAE 16 and SOC 1 reports will only focus on internal control over financial reporting and provide no standards or benchmarks around the quality of the data center operations like SOC 2 & SOC 3 provide.<\/p>\n

In essence, SOC 2 & SOC 3 raise the bar for data center operators.\u00a0 High quality colocation<\/a>, managed server<\/a> and cloud hosting <\/a>providers will shine under these new stringent audits that reflect processes and controls that they are likely already running under.\u00a0 Others will choose a lower bar \u2013 either trying to slip their SAS 70 in under the wire to buy time, or only auditing to the SSAE 16 standard where they can set the bar so they can meet it.<\/p>\n

SAS 70 is dead, long live SOC 2 and SOC 3<\/a> data center auditing\u2026<\/p>\n

… and let the data center auditing games begin!<\/p>\n

\n

Update:<\/strong> SAS 70 reports only on controls related to financial reporting. If you need assurance of controls directly related to data centers, including privacy, security and availability, look for a SOC 2 report<\/a>.
\nSAS 70 was replaced by SSAE 16 in June 2011.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

We\u2019re in the final vigil for SAS 70. The oxygen has been brought out and the last rites are being given, and while a few data centers are scrambling to get a SAS\u00a0 70 audit before the bell tolls, on June 15, 2011, SAS 70 will be dead.\u00a0 Auditors will no longer conduct SAS 70 audits or issue SAS 70 audit reports, as the AICPA (American Institute of CPAs) switches to SSAE 16 and SOC 2\/SOC3 reporting. Long Live SOC.\u00a0 SAS 70 was never designed to be used by service organizations that offer colocation, managed servers or cloud hosting services. It was focused on internal controls used for financial reporting.\u00a0 But because SAS 70 was the only data center auditing standard available, end users required SAS 70 and data center operators hired CPAs to conduct SAS 70 audits as the gold standard for data center operation. But that was the past. Starting June 15th, the new gold standard for data center operators will be Service Organization Control (SOC) 2 and SOC 3 audit reports.\u00a0\u00a0 Rather than audit against a set of controls that the data center operator designates, SOC 2 and SOC 3 have much more stringent audit requirements and…<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[],"other_category":[],"class_list":["post-1526","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"acf":[],"yoast_head":"\nSAS 70 is Dead \u2013 Long Live SOC 2 and SOC 3 | OTAVA<\/title>\n<meta name=\"description\" content=\"SAS 70 was never designed to be used by service organizations that offer cloud hosting services. Instead, service organizations should use SOC 2 reports.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.otava.com\/blog\/sas-70-is-dead-long-live-soc-2-soc-3\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"SAS 70 is Dead \u2013 Long Live SOC 2 and SOC 3\" \/>\n<meta property=\"og:description\" content=\"SAS 70 was never designed to be used by service organizations that offer cloud hosting services. Instead, service organizations should use SOC 2 reports.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.otava.com\/blog\/sas-70-is-dead-long-live-soc-2-soc-3\/\" \/>\n<meta property=\"og:site_name\" content=\"OTAVA\" \/>\n<meta property=\"article:published_time\" content=\"2011-04-13T00:00:00+00:00\" \/>\n<meta name=\"author\" content=\"Irma Brillantes\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Irma Brillantes\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.otava.com\/blog\/sas-70-is-dead-long-live-soc-2-soc-3\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.otava.com\/blog\/sas-70-is-dead-long-live-soc-2-soc-3\/\"},\"author\":{\"name\":\"Irma Brillantes\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263\"},\"headline\":\"SAS 70 is Dead \u2013 Long Live SOC 2 and SOC 3\",\"datePublished\":\"2011-04-13T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.otava.com\/blog\/sas-70-is-dead-long-live-soc-2-soc-3\/\"},\"wordCount\":489,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.otava.com\/#organization\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.otava.com\/blog\/sas-70-is-dead-long-live-soc-2-soc-3\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.otava.com\/blog\/sas-70-is-dead-long-live-soc-2-soc-3\/\",\"url\":\"https:\/\/www.otava.com\/blog\/sas-70-is-dead-long-live-soc-2-soc-3\/\",\"name\":\"SAS 70 is Dead \u2013 Long Live SOC 2 and SOC 3 | OTAVA\",\"isPartOf\":{\"@id\":\"https:\/\/www.otava.com\/#website\"},\"datePublished\":\"2011-04-13T00:00:00+00:00\",\"description\":\"SAS 70 was never designed to be used by service organizations that offer cloud hosting services. Instead, service organizations should use SOC 2 reports.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.otava.com\/blog\/sas-70-is-dead-long-live-soc-2-soc-3\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.otava.com\/blog\/sas-70-is-dead-long-live-soc-2-soc-3\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.otava.com\/blog\/sas-70-is-dead-long-live-soc-2-soc-3\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.otava.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"SAS 70 is Dead \u2013 Long Live SOC 2 and SOC 3\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.otava.com\/#website\",\"url\":\"https:\/\/www.otava.com\/\",\"name\":\"OTAVA\u00ae\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.otava.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.otava.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.otava.com\/#organization\",\"name\":\"OTAVA\u00ae\",\"url\":\"https:\/\/www.otava.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg\",\"contentUrl\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg\",\"caption\":\"OTAVA\u00ae\"},\"image\":{\"@id\":\"https:\/\/www.otava.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263\",\"name\":\"Irma Brillantes\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"caption\":\"Irma Brillantes\"},\"url\":\"https:\/\/www.otava.com\/blog\/author\/ibrillantesotava-com\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"SAS 70 is Dead \u2013 Long Live SOC 2 and SOC 3 | OTAVA","description":"SAS 70 was never designed to be used by service organizations that offer cloud hosting services. Instead, service organizations should use SOC 2 reports.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.otava.com\/blog\/sas-70-is-dead-long-live-soc-2-soc-3\/","og_locale":"en_US","og_type":"article","og_title":"SAS 70 is Dead \u2013 Long Live SOC 2 and SOC 3","og_description":"SAS 70 was never designed to be used by service organizations that offer cloud hosting services. Instead, service organizations should use SOC 2 reports.","og_url":"https:\/\/www.otava.com\/blog\/sas-70-is-dead-long-live-soc-2-soc-3\/","og_site_name":"OTAVA","article_published_time":"2011-04-13T00:00:00+00:00","author":"Irma Brillantes","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Irma Brillantes","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.otava.com\/blog\/sas-70-is-dead-long-live-soc-2-soc-3\/#article","isPartOf":{"@id":"https:\/\/www.otava.com\/blog\/sas-70-is-dead-long-live-soc-2-soc-3\/"},"author":{"name":"Irma Brillantes","@id":"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263"},"headline":"SAS 70 is Dead \u2013 Long Live SOC 2 and SOC 3","datePublished":"2011-04-13T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.otava.com\/blog\/sas-70-is-dead-long-live-soc-2-soc-3\/"},"wordCount":489,"commentCount":0,"publisher":{"@id":"https:\/\/www.otava.com\/#organization"},"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.otava.com\/blog\/sas-70-is-dead-long-live-soc-2-soc-3\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.otava.com\/blog\/sas-70-is-dead-long-live-soc-2-soc-3\/","url":"https:\/\/www.otava.com\/blog\/sas-70-is-dead-long-live-soc-2-soc-3\/","name":"SAS 70 is Dead \u2013 Long Live SOC 2 and SOC 3 | OTAVA","isPartOf":{"@id":"https:\/\/www.otava.com\/#website"},"datePublished":"2011-04-13T00:00:00+00:00","description":"SAS 70 was never designed to be used by service organizations that offer cloud hosting services. Instead, service organizations should use SOC 2 reports.","breadcrumb":{"@id":"https:\/\/www.otava.com\/blog\/sas-70-is-dead-long-live-soc-2-soc-3\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.otava.com\/blog\/sas-70-is-dead-long-live-soc-2-soc-3\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.otava.com\/blog\/sas-70-is-dead-long-live-soc-2-soc-3\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.otava.com\/"},{"@type":"ListItem","position":2,"name":"SAS 70 is Dead \u2013 Long Live SOC 2 and SOC 3"}]},{"@type":"WebSite","@id":"https:\/\/www.otava.com\/#website","url":"https:\/\/www.otava.com\/","name":"OTAVA\u00ae","description":"","publisher":{"@id":"https:\/\/www.otava.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.otava.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.otava.com\/#organization","name":"OTAVA\u00ae","url":"https:\/\/www.otava.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.otava.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg","contentUrl":"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg","caption":"OTAVA\u00ae"},"image":{"@id":"https:\/\/www.otava.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263","name":"Irma Brillantes","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","caption":"Irma Brillantes"},"url":"https:\/\/www.otava.com\/blog\/author\/ibrillantesotava-com\/"}]}},"_links":{"self":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts\/1526","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/comments?post=1526"}],"version-history":[{"count":0,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts\/1526\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/media?parent=1526"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/categories?post=1526"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/tags?post=1526"},{"taxonomy":"other_category","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/other_category?post=1526"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}