In June, 2011, SAS70 was retired. This report gave customers some level of confidence regarding the service provider’s internal procedures. Now data centers are receiving requests from their customers for SSAE16 reports, the replacement to SAS70.
The challenge associated with the use of SAS70 and SSAE16 is that both standards are focused on internal controls over financial reporting (ICFR) concerns. ICFR is crucial for corporations that must comply with Sarbanes-Oxley requirements. In most cases, however, ICFR is of limited concern for the services data centers provide for customers. With limited reporting options, data centers found themselves in a conundrum.
Because there is confusion around these standards and they still seem to be evolving, this may clarify the situation to some extent:
Statement on Auditing Standards No. 70, SAS70 has been around for nearly 20 years. First released in 1992, it has been the gold standard for data center users to assure that their data center is secure and operating under proper control systems. According to the American Institute of CPAs (AICPA), SAS70 was never designed to be used by service organizations in this way. It was focused on internal controls over financial reporting.
An SAS70 audit verifies that the controls and processes that the data center operator has in place are followed. Although, there is no minimum bar that the data center operator has to achieve and no benchmark to which data center operators are held accountable. A data center with strong controls and processes can claim the same level of audit as a data center operator with weak controls and systems. You have to read through the detailed SAS70 audit report to understand the level of controls and processes deployed and audited.
Enter the new SSAE16 reporting standards.
The next generation of AICPA auditing standards for reporting on controls at service organizations (including data centers) in the United States is SSAE16, which goes beyond SAS70 by requiring the auditor to obtain a written assertion from management regarding the design and operating effectiveness of the controls being reviewed. The new reporting standard, SSAE16, also provides better alignment with the international audit standard ISAE 3402.
The new SSAE16 standards will raise the bar for some, and allow others to shine under the stringent processes they already have in place. Users will get what they’ve been seeking – a standard benchmark to use when comparing data center operators.
Managed hosting services will now get what they deserve — a certification process that provides their users a high level of assurance about the quality of their data center security, availability and process integrity.
Find out more about how VAZATA takes reporting standards seriously: www.VAZATA.com