The Statement on Auditing Standards No. 70 (SAS 70) has been around for nearly 20 years. First released in 1992, it was the gold standard for assuring data center users that their data center was secure and operating under proper control systems. The problem with SAS 70, according to the American Institute of CPAs (AICPA), was that it focused only on internal controls over financial reporting. It was never designed to be used by service organizations that offer co-location, managed servers or cloud hosting services.
Furthermore, an SAS 70 audit only verified that the controls and processes that the data center operator had in place were followed. There was no minimum bar that the data center operator had to achieve and no benchmark to hold a data center operator accountable to. A data center operator with weak controls and processes could claim the same level of audit success as a data center operator with strong controls and processes. The only way a user could tell the difference was to read through the detailed audit report.
On June 15, 2011, SAS 70 was officially superseded by the Statement on Standards for Attestation Engagements No. 16 (SSAE 16). At the same time, the AICPA also announced a broader Service Organization Control (SOC) framework, which offers a vendor yet another option in providing risk-management assurance to its customers.
SSAE 16 is the next generation AICPA standard for control reporting at service organizations (including data centers) in the United States. SSAE 16 goes beyond SAS 70 by requiring an auditor to obtain a written assertion from management regarding the design and operating effectiveness of the controls being reviewed. SSAE 16 also is better aligned with the audit standards of the International Standard on Assurance Engagement 3402.
New Reporting Options
SOC 1 Reports: Under the new AICPA reporting standards, an audit conducted under SSAE 16 results in a SOC 1 report. This report, however, will still focus on internal controls over financial reporting. Overall, SOC 1 will be the basic form of reporting for SSAE 16 audits.
As with the old SAS 70, SOC 1 reports will be available as Type 1 or Type 2 reports:
A Type 1 report will present the auditor’s opinion regarding the accuracy and completeness of management’s description of the system or service as well as the suitability of the controls’ design as of a specific date.
A Type 2 SOC 1 report will include the Type 1 criteria but will also audit the operating effectiveness of the controls throughout a specific time period. Like SAS 70, there is no official SSAE 16 or SOC 1 certification.
SOC 2 Reports: SOC 2 provides much more stringent audit standards with a stronger set of controls and requirements specifically designed for data center service organizations. In contrast to an SSAE 16 engagement, where the data center operator defines the criteria for an audit, the SOC 2 report is based on predefined controls outlined within the AICPA Trust Services Principles and Criteria. These criteria have been developed by the AICPA specifically for evaluating the design and operating effectiveness of controls at a data center or other service organization. The AICPA defines the Trust Principles as the five attributes of a reliable system:
Security: The system is protected against unauthorized access (both physical and logical).
Availability: The system is available for operation and use as committed or agreed.
Processing integrity: System processing is complete, accurate, timely and authorized.
Confidentiality: Information designated as confidential is protected as committed or agreed.
Privacy: Personal information is collected, used, retained, disclosed and disposed of in conformity with the commitments in the entity’s privacy notice and criteria set forth in Generally Accepted Privacy Principles issued jointly by the AICPA and the Canadian Institute of Chartered Accountants.
Similar to SOC 1, a SOC 2 audit may result in two types of reports:
Type 1 provides for a report on the fairness of management's presentation and description of the organization's control system and the suitability of the controls’ design in meeting the applicable criteria.
Type 2 provides for a report that is the same as a Type 1 report but which also includes (1) the service auditor's opinion on the operating effectiveness of the controls in meeting the applicable criteria and (2) a description of the service auditor's tests of the operating effectiveness of the controls and the results of those tests.
Use of SOC 2 reports is generally restricted to the service organization and customer personnel and professionals working on its behalf.
SOC 3 Reports:
SOC 3 provides the same level of assurance about controls as outlined in the SOC 2 requirements. The report, however, is intended for general release and does not contain the same detailed description of the testing performed by the auditor. Rather, a SOC 3 report will contain a summary opinion regarding the effectiveness of the controls in place at the data center or service organization. Once the auditor reports that the service provider has achieved the trust services criteria, the company may display the “SOC 3: SysTrust for Service Organizations” seal.
Recent developments in audit standards for internal controls have begun to address the unique issues faced by data service organizations. SSAE 16, with its multiple reporting levels and written assertion requirements, is a good start toward ensuring that data service organizations have in place sufficient internal controls. Although baseline SOC 1 reporting remains focused on internal controls over financial reporting, a data service organization that maintains high internal standards may now use SOC 2 and SOC 3 reports to demonstrate to auditors and its clients the effectiveness of its internal controls.