SSAE 16 is NOT SOC 2

Thursday, December 22, 2011

david barton

8fcd3af85e00d8db661be6a882c6442b

I recently saw the following link related to a data center audit:

Cbeyond One of First SSAE 16 Certified Cloud Companies

Just when I thought things were getting better, along comes this press release that is wrong on so many levels I don’t even know where to begin... but I’ll try.

First off, SSAE 16 is NOT a certification as I have pointed out MANY times (see Just as I Predicted…).

Secondly, SOC 2 is totally unrelated to SSAE 16.  Statement on Standards for Attestation Engagements (SSAE) 16 is specific guidance to CPA firms for planning and conducting Service Organization Control (SOC) 1 reviews.

Those are reviews intended for controls at service organizations likely to be relevant to user entities’ internal control over financial reporting.

So far, the AICPA has not released any specific SSAE for SOC 2.  There is an official “guide” to conducting a SOC 2 engagement, but there is not a specific Statement on Standards for Attestation Engagements (SSAE).

The following paragraph highlights the rampant confusion that exists in the marketplace regarding the new AICPA standards for Service Organization audits that replaced the old SAS 70 standard:

“Considered the second-generation data center audit standard, SSAE 16 SOC 2 reviews evaluate the design and operational effectiveness of a center’s controls against a strict series of international standards. Earning SSAE 16 certification demonstrates that Cbeyond Cloud Services is fully compliant with all necessary security and privacy specifications, and demonstrates that its customers are served and hosted in a highly secure, controlled facility.”

Neither SSAE 16 (SOC 1) or SOC 2 is a “data center audit standard”.  And the SOC 2 criteria are NOT an “international standard”.

It is difficult to tell from this press release exactly what Cbeyond did since the press release is mixing SSAE 16 (SOC 1) and SOC 2 together.  Claiming “certification” is just more of the same ignorance that most of the industry shares.

If you are writing or reading press releases from data centers and cloud providers as a normal part of your day, please take the time to understand the new standards and what they mean. 

Press releases like this one do nothing to clear the confusion created by the new SOC standards.  If you have questions about the standards, please speak to a qualified member of a CPA firm in order to ensure you are writing and reading with a full understanding.

Possibly Related Articles:
22025
General
Financial Services
Compliance SSAE 16 Financial Guidelines Standards AICPA SOC 2 Cbeyond
Post Rating I Like this!
D15e0b682a84587af9af463961d00f22
John Nicholson The AICPA has an excellent white paper showing the history of the various audits and how SOC 1, 2 and 3 differ at http://www.aicpa.org/interestareas/informationtechnology/resources/trustservices/downloadabledocuments/10957-378%20soc%20whitepaper.pdf
1324584866
Ee445365f5f87ac6a6017afd9411a04a
Jon Long @ITControlsFreak, It might be good to note that SOC2 is based on AT-101 which is based on SSAE 10, SSAE 11, SSAE 12, and SSAE 14

http://www.aicpa.org/Research/Standards/AuditAttest/DownloadableDocuments/AT-00101.pdf
1326829879
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.