(This is the first of two reports on SSAE 16, which replaces SAS 70 as the audit standard for service providers)
I’m an old IT audit guy. I spent over a dozen years digging into enterprise data centers and business processes to find the weaknesses in controls and pointing out vulnerabilities so my clients could mitigate the risks before something bad happened. Audit and assurance of controls get complicated when computing resources and data are in the cloud.
The audit community, as well as companies that consume cloud services needed a standard approach to assess controls in the cloud. For lack of any better means of assessment, they embraced SAS 70 as the default approach to assessing the controls of cloud service providers.
The adoption of SAS 70 as de facto industry standard
In a traditional enterprise where all computing is done in house, the internal and external auditors are able to examine all the controls designed to protect the data assets. However, when data and applications move outside the corporate firewall into a hosted environment, it’s not possible for the client to do a firsthand audit of the security controls.
In the absence of this firsthand knowledge, companies that engage a service provider must (1) rely on the provider to protect their data and (2) rely on that provider to perform self-assessment to determine if controls to protect that data are adequate. To accomplish the assessment, SAS 70 became the de facto audit standard of service providers, including data center operators, cloud providers, etc., to assess their security controls and provide their clients assurance that their data is protected.
This assurance is important because at the end of the day, if a company’s data is breached or lost, it does not matter who was processing the data — the company that owns that data is responsible for its protection. To that end, SAS 70 helped provide a level of assurance to service subscribers that controls were in place and working to protect their data while in the care of the service provider.
Now, there are some important changes that you should be aware of. and I’ll try to put things into perspective for you as a consumer of cloud services or as a service provider.
Earlier this year, SSAE 16 officially replaced SAS 70 as the audit standard for service companies. The change was needed for several reasons, but perhaps most important was to bring the SAS 70 audit standard more in line with Sarbanes-Oxley (SOX).
SSAE 16, like SOX, requires the service provider to define their overall business and control processes, plus their assertion of effectiveness prior to a service audit. Then, the service auditors test and assess management’s statements and render an opinion as to their effectiveness. This process is similar to what publically traded companies must endure during their SOX audits: Management is required to assert and attest to the validity of their controls over all their business processes that affect their financial statements — even if processes have been outsourced.
In contrast, SAS 70 was not assertion based. This means that with SAS 70 the service provider management did not describe and offer an opinion on the effectiveness of their processes and controls. The service provider just outlined the processes they wanted tested, and the auditors tested them and reported on their effectiveness — either good or bad.
Similarities between a SAS 70 and SSAE 16
Like SAS 70, SSAE 16 is to be used when an organization outsources, according to the American Institute of CPA’s (AICPA), “a business task or function and the data resulting from that task or function is incorporated in the (customer’s) financial statements.” This statement creates broad applicability to a significant number of service providers from payroll providers, data center and collocation providers, managed services companies, and an ever increasing array of cloud services providers.
Unfortunately (more on this in my next post), SSAE 16, just like SAS 70, does not outline the controls that must be covered in the assessment of IT controls. It is for the service provider to decide which controls are essential to the services being provided. And, the service auditor still issues a Type I or Type II report. Both report types rely on management’s description of controls, and the scope of each report is similar to that under SAS 70.
Basically, a Type I report assesses a service provider’s internal controls to assure that they are fairly and completely described and that they have been adequately designed to meet their objectives. A Type II report does the same, but goes further by actually testing the controls in operation over a certain stated time period, such as for a calendar year.
Differences between SAS 70 and SSAE 16
The main difference between SAS 70 and SSAE 16 is the depth of information the service provider must provide to the service auditors, including (among other things):
- Management attestation of their overall service offering and underlying control structure
- Verification that appropriate criteria are used for system evaluation
- Current evidence for every control during each assessment, rather than reusing prior evidence
In addition, service providers that rely on other service providers for some or all of their offering must now address their subservice providers in their overall description of system process and control. Think of an SaaS provider that engages a hosting data center to run their processes.
So what does this mean to a cloud customer?
Yes, I admit at a quick glance there doesn’t appear to be much different between the two. But from a customer perspective, the presentment and attestation of processes and controls by the service provider management team and the subsequent testing over a period of time help with two things: (1) the overall audit process better aligns with SOX; (2) the new process can provide the customer increased assurance that their data is secured in the manner the service provider states that they are.
In other words, the top executives of the service now put their jobs and reputation on the line by stating that their processes and controls function as stated to protect client data.
For more information on SSAE 16, you can visit:
American Institute of CPAs (AICPA) - http://www.aicpa.org/Research/Standards/AuditAttest/Pages/SSAE.aspx
SSAE16.com - http://www.ssae-16.com/
In my next posting, I will discuss how the AICPA addressed the need for IT audit standards and certification for outsource services.