From SSAE 16 to SAS 70 (Part II): SOC reporting and certification

Brian Musthaler
By | January 17, 2012

Posted in: Network Security Trends

In my previous post (From SAS 70 to SSAE 16, what does it mean?), I outlined the similarities and differences between SAS 70 and SSAE 16 audits. Now, I will go into more detail about the reporting options available with SSAE 16 and the additional auditing/reporting facilities the American Institute of CPAs (AICPA) has developed for the world of IT outsource services, e.g., data centers and cloud hosting.

SSAE 16 is the new audit standard for “Reporting on Controls at a Service Organization” (including data centers) within the United States. Also, for organizations that offer international services, SSAE 16 provides better alignment with the international audit standard ISAE 3402.Within SSAE there are three Service Organization Controls (SOC) reporting options: SOC 1, SOC 2 and SOC 3. According to the AICPA, they are “designed to help service organizations, organizations that operate information systems and provide information system services to other entities, build trust and confidence in their service delivery processes and controls through a report by an independent Certified Public Accountant. Each type of SOC report is designed to help service organizations meet specific user needs.”

SOC 1 , the “Report on Controls at a Service Organization Relevant to User Entities’ Internal Controls over Financial Reporting,” is, basically, what SAS 70 was intended to be: financial reporting controls at a service organization used as an auditor-to-auditor communication tool. But, it is not a data center- centric audit per se.An SOC 1 report is the basic SSAE 16 report that is delivered as a Type 1 or Type 2 report. The Type 1 reports delivers an auditor’s opinion on the accuracy and completeness of the service provider’s management description of the system or service, as well as the suitability of the design of controls as of a specific date. The Type 2 report includes the Type 1 criteria but goes much further, auditing and verifying the effectiveness of the controls throughout a specified time period, such as a calendar year.Like SAS 70, there is no official SSAE 16 or SOC 1 “certification.” So, don’t call yourself “Certified” (just yet).

Though this may seem a mere nuance to many, the AICPA stridently disagrees with the commonly used phrase “SAS 70 Certified” or “SSAE 16 Certified.” Technically, a service provider does not receive a certification after they have been audited. So, in an effort to address the “certification” confusion, there are new reporting standards from the AICPA: SOC 2 and SOC 3 are specifically designed to address the need to provide information and assurance on nonfinancial controls.

SOC 2, the “Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy”, addresses nonfinancial controls related to compliance and operations at a service provider. This report is used by management of the service provider, its customers and prospects, suppliers, business partners and other organizations associated with the service provider to assess the control environment of a service provider.

This report is based on predefined controls outlined within the AICPA Trust Services Principles and Criteria. These criteria have been developed by the AICPA for evaluating the design and operating effectiveness of controls at a data center or other service organizations. The AICPA defines the Trust Principles as five attributes of a reliable system:


  1. 1. Security. The system is protected against unauthorized access (both physical and logical).

  2. Availability. The system is available for operation and use as committed or agreed.

  3.  Processing integrity. System processing is complete, accurate, timely and authorized.

  4. Confidentiality. Information designated as confidential is protected as committed or agreed.

  5. Privacy. Personal information is collected, used, retained, disclosed and disposed of in conformity with the commitments in the entity’s privacy notice and criteria set forth in Generally Accepted Privacy Principles issued jointly by the AICPA and the Canadian Institute of Chartered Accountants.

SOC 3, the “Trust Services Report for Service Organizations,” is intended for general use and can be distributed and promoted with the SOC 3 seal on the service organization’s website. It reports on nonfinancial controls related to compliance and operations at a service organization listed under the SOC 2 description.

This report provides the same level of assurance about controls outlined in SOC 2 requirements. The report is intended for general release and does not contain the detailed description of the testing performed by the auditor, but rather, a summary opinion regarding the effectiveness of the controls in place at the data center or service organization.

More importantly for data centers and other cloud service providers that wish to claim they are “certified,” the SOC 3 report meet the certification needs that service providers have been seeking. Once the auditor reports that that the service provider has achieved the trust services criteria, the company can display the “SOC 3: SysTrust for Service Organizations” seal.

These new IT-centric audit reports are welcome, if not long overdue, baseline standards for the growing cloud/outsourcing service industry. They will help raise the bar for baseline operational controls. For some it may require work to meet this baseline, while many others can stand out from the competition with control processes they already have in place.

Last but not least, the service provider customers will get what they’ve been seeking: a controls benchmark to use when comparing data center operators and outsource service providers.

For more information about:

You May Also Be Interested In: