In January 2010, the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) introduced the Statement on Standards for Attestation Engagements (SSAE) No. 16, or the SSAE 16. The standards coming into effect on June 15, 2011 is applicable to Service Auditors’ reports. A data center audit plays a prevalent role in deciding the capability of the data center’s procedures to deal with the most important aspects of security.
A brief overview of SSAE 16
SSAE 16 specifically applies to service providers, therefore, covering aspects of financial reporting related to data centers. SSAE 16 is based on accounting ethics and practices on the global level. These auditing standards require the management of service organizations to submit a written statement of assertion.
Critical aspects of SSAE 16 assessment
A data center undergoing SSAE 16 assessment is required to pay due attention to several important aspects to ensure a successful audit.
Service Organization Control (SOC) reports include the SOC 1, SOC 2 and SOC 3 reports. The professional standards and sets of principles laid down by SSAE 16 are to be maintained by the data center undergoing the audit.
Key differences between SAS 70 and SSAE 16
A number of differences exist between the SAS 70 and SSAE 16 and each of these should be considered not only from a theoretical point of view, but also through relevant practicalities.
A written assertion is required to be presented to the service auditor along with the description of the data center’s system. This is to be provided by the management and in the absence of this written assertion, the service auditor has the right to withdraw from the audit.
SSAE 16 surpasses the Statement on Auditing Standards No. 70, SAS 70, and applies to audits undertaken for relevant service providers, including data centers. The audit is required to be carried out by a competent service auditor, either a Certified Public Accountant (CPA) or a CPA firm.