The spread of outsourcing and cloud computing is leading companies to rely more and more on third-party servers, many of them hosted in offshore data centers. The concerns of data security and the need to conform to the ever-expanding regulatory compliance legislation necessitate a need for third-party reporting on these data centers.
Two common standards that address this need are Statement on Standards for Attestation Engagements (SSAE) 16 and International Standards on Assurance Engagement (ISAE) 3402. ISAE 3402, promulgated by the International Auditing and Assurance Standards Board (IAASB) of the International Federation of Accountants (IFAC), is the globally accepted standard for reporting on service organizations. SSAE 16 is the US standard promulgated by the American Institute of Certified Public Accountants (AICPA). There are other standards, such as the Canadian Institute of Chartered Accountants’ (CICA) 5970 and Institute of Chartered Accountants in England & Wales’ AAF 01/06 as well, but on the whole, service auditors are now required to comply with either ISAE 3402 or SSAE 16.
SSAE 16 and ISAE 3402 essentially share a common framework, derived from the now defunct U.S. Statement on Auditing Standards No. 70 (SAS 70). The passage of the Sarbanes-Oxley Act of 2002 led to a much wider use of the existing SAS 70 standards, and improvements on this standard to incorporate the increased scope led to these two standards.
SSAE 16 closely mirrors ISAE 3402. Both require the management to provide a detailed description of its “system” and a written statement of assertion. The significant difference is that while SSAE 16 is an “attestation” standard, ISAE 3402 is an “assurance” standard.
ISAE 3402 also incorporates a Readiness Assessment, to be analyzed by a qualified service auditor. This audit would assess the changes brought about by adopting the ISAE 3402 standard, and how such changes differ from other standards in place, such as that of SSAE 16 or CICA 5970. The audit would also provide recommendations and guidance to develop the description of its “system” and written statement of assertion.
These reports give businesses looking to outsource to data centers an idea of how the data center works and the extent to which it is in compliance with various regulations and policies. It allows businesses to cross-check the compliance, security and other claims made by the data centers. Need more info on compliance and audits? Contact us at Lifeline Data Center today. We maintain a current SSAE Type II Audit Report.