Why Data Centers Need SSAE 16

Thursday, September 29, 2011

SSAE 16 is one of the most widely known tools for providing assurances to data center customers.  It is demanded by customers and there is no substitute for it.  

And yet, a myth that the SSAE 16 standard is not applicable to the industry persists.  As such, data center providers have no choice but to arm themselves with the following facts about SSAE 16 applicability.

The Technical Basis

The technical guidance for SSAE 16 has two major components which are the SSAE 16 standard itself and the related guide titled “Service Organizations –Applying SSAE No. 16, Reporting on Controls at a Service Organization (SOC 1)”.

The very first paragraph of the SSAE 16 standard states that it is applicable when reporting on “controls at organizations that provide services to user entities [i.e., customers] when those controls are likely to be relevant to user entities internal control over financial reporting.”

Data centers, colocations and managed service providers (collectively “data centers”) that host systems relevant to their customers’ financial reporting are responsible for certain controls over those systems, such as physical and environmental security.  Therefore, SSAE 16 is applicable to data center services according to the professional guidance.  Period.  End of story.

Furthermore, there is no basis for blanket statements that SSAE 16 is not applicable to data centers.   The SSAE 16 guidance does not contain a special exclusion for the data center industry, or any other industry for that matter.  

On the contrary, every time the guidance touches on this topic, it provides more support for the applicability of SSAE 16.

For example, the SSAE 16 guide provides the following examples of service organizations that perform functions relevant to customers’ internal control over financial reporting – ISPs, Web hosting providers, and ASPs, including those that “provide services similar to traditional mainframe data center service bureaus”. (Ref. Par. 1.06)

If SSAE 16 is applicable to Web hosting providers, rest assured that it is applicable to data center providers.  Before anyone claims that an “ASP” is not a data center, keep in mind that we are dealing with a decade-old catch all definition poorly crafted by CPAs.  It was never meant to be a technical definition.  And despite being poorly written, the intent of clarifying the applicability of SSAE 16 to third party IT service providers is very clear.

The IT General Controls Falsehood

What about the claim that SSAE 16 should not be applied exclusively to general IT controls? There simply is no technical support for such a claim when the underlying controls have a relevance to customers’ internal control over financial reporting.  

The SSAE 16 guide states that control objectives should “include general computer control objectives that are necessary to achieve the application control objectives […] and are therefore likely to be relevant to controls over financial reporting at user entities.”  It then follows the statement with four pages of illustrative general IT control objectives such as information security, change management, and computer operations topics. (Ref. Par. 4.50)

It is also important to note that general IT control objectives for a typical service organization are the application control objectives for a data center.  In other words, a data center’s services are, from an SSAE 16 perspective, the provision of IT general controls, whereas general IT controls are merely the supporting cast in other SSAE 16 examinations.

When “general computer control objectives” are the responsibility of a third party data center, a decision has to be made by the service organization as to whether it will include the data center’s services within the scope of its examination (the “inclusive” reporting method), or exclude them (the “carve-out” reporting method).  

Everyone agrees that this is the proper handling of data centers that host relevant systems.  So if a data center’s services can be carved out of a service organization’s SSAE 16 examination, why can’t the data center be the subject of its own SSAE 16 examination?  

It is highly contradictory to believe that SSAE 16 can be applied to a data center in a subservice organizations role, but not as the actual service organization.

The SOC 2 Alternative (or lack thereof)

But isn’t SOC 2 the appropriate alternative to SSAE 16 (aka SOC 1) for data centers?
Absolutely not.

Although often misunderstood, SSAE 16 and SOC 2 have distinctly different purposes. SSAE 16 is meant to be used in conjunction with the financial statement audit of a service organization’s customers.  SOC 2 examinations report on controls related to compliance with one or more the Trust Services Principles (i.e., security, availability, processing integrity, confidentiality and privacy).

The SOC 2 guide clarifies this when it states (emphasis added):

“A service organization’s controls may be relevant to a user entity’s internal control over financial reporting and also to the trust services principles.  This guide is NOT intended to permit a SOC 2 report to be issued that combines reporting on a service organization’s controls relevant to user entities’ internal control over financial reporting with reporting on controls relevant to the trust services principles.  A service organization may engage a service auditor to separately perform an engagement that addresses a service organization’s controls related to user entities’ internal control over financial reporting.  If a service auditor is engaged to perform both a SOC 1 and SOC 2 engagement, certain testing performed in either engagement may provide evidence for the other engagement.” (Ref. Par. 1.23)

Translation:  SOC 2 is not an alternative to SSAE 16.  A data center may need to complete an SSAE 16 examination and an SOC 2 examination, but cannot use one as a substitute for the other.  Besides, data centers’ customers, and especially their financial statements auditors, already understand that only an SSAE 16 report is appropriate for the purposes of the customers’ financial statement audits, as was the case with predecessor SAS 70 reports.

I confirmed this point during the AICPA’s SOC webinar conducted on September 22, 2011.  During that webinar, I posed the question “Is it possible that data center and colocation providers might need an SOC 1 and an SOC 2 examination if they host financial reporting systems for a portion of their clients?

The one word answer from the AICPA presenter:  “Yes” 

Conclusion

In the real world, customers are demanding ongoing SSAE 16 examinations from their data center providers.  The leading providers of SSAE 16 examinations (i.e., BrightLine and the “Big 4” CPA firms) have considered these issues and continue to perform SSAE 16 examinations for data center providers.  

In fact, many data center providers have already announced the successful completion of SSAE 16 examinations. In light of the evidence, it is clear that SSAE 16 is a valuable assurance standard for data centers and their customers.  

Chris Schellman is the President of BrightLine, the only company in the world accredited as a CPA firm, PCI QSA Company, and ISO 27001 Registrar.  He is a licensed CPA, CISSP and PCI QSA, and has contributed to nearly 1,000 SSAE 16 / SAS 70 examinations.

Cross-posted from Data Center Knowledge 

Possibly Related Articles:
18063
General
Service Provider
Compliance Databases SAS70 SSAE 16 Data Center Standards SOC 2
Post Rating I Like this!
Default-avatar
John Brown Great info!
1317383617
8845ac2b3647d7e9dbad5e7dd7474281
Phil Agcaoili Very informative.

I'm glad to see both sides of the argument and expect to see more healthy conversation in this matter:
Why Data Centers Don't Need SSAE 16
https://www.infosecisland.com/blogview/16080-Why-Data-Centers-Dont-Need-SSAE-16.html
1317432288
49d581a596eba2095fcfae864a6a0080
Hedge Hog I agree Phil. This article does a great job of correcting the errors of that article. The article is basically moot given that the AICPA has confirmed the applicability of SSAE 16 to data center type providers.
1318038584
Ee445365f5f87ac6a6017afd9411a04a
Jon Long Please read the article that came out today on this topic (http://bit.ly/A9uMW0 ). David Barton @itcontrolsfreak is right. SSAE16 does not provide assurance regarding security, availability, processing integrity, confidentiality, or privacy.
1326991648
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.