By Jay Atkinson
AIS Network CEO
Goodbye, SAS 70. Hello, SSAE 16.
SSAE 16? That’s somewhat new terminology among hosting providers and their customers and investors. SSAE 16 certification has officially replaced the SAS 70 certification process.
This week, AIS Network announces its favorable completion of the SSAE 16 Type II audit, which was conducted by the independent auditing firm, KirkpatrickPrice, LLC. AISN is now “SSAE 16 Type II compliant.”
So, of what significance to hosting customers is the switch from SAS 70 to SSAE 16? And, why now?
SAS 70: A Brief History
For almost 20 years, hosting customers, who were forced to comply with stringent regulatory or auditing standards, actively sought out hosting services providers that had completed SAS 70 (more formally known as the U.S. Statement on Auditing Standards No. 70) infrastructure and internal control examinations by independent auditors.
Until mid-June, SAS 70 was the leading standard for assurance reports for hosting providers and other service organizations. Customers and investors relied upon independent auditors’ SAS 70 reports to understand what internal controls a hosting provider used and gain confidence that the hosting provider was implementing those controls properly.
But while a SAS 70 auditing report was helpful in providing transparency to customers or investors who needed certain assurances about a hosting provider’s internal controls, the audit itself lacked consistency with international standards. Moreover, there was no standard or set of criteria for hosting companies to use in defining their internal controls for the purpose of the SAS 70 audit.
SSAE 16: Setting the Bar Higher
This spring, a new standard took effect for U.S.-based colocation, cloud, managed hosting and other services providers — the Statement on Standards for Attestation Engagements No. 16, the SSAE 16.
Created by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA), the SSAE 16 replaces the SAS 70 for periods ending after June 15, 2011.
Why a new standard? Largely, SSAE 16 reflects AICPA’s efforts to converge the U.S. auditing standard with the international standard (not merely regional or national standards), and in the process, set a higher bar by refining the procedures for auditing a service provider’s internal controls.
SSAE 16 mirrors more closely the international audit standard, known as International Auditing and Assurance Standards Board (IAASB) International Standard on Assurance Engagements 3402 (ISAE 3402). It also levels the playing field for companies by adding a new attestation standard and two more Service Organization Control (SOC) reports, all of which allow independent auditors to audit service providers more consistently – and with a standard set of criteria. For more details, see AICPA’s discussion of SSAE 16 audits.
As with the SAS 70 audit reports, the SSAE 16 audit reports come in two flavors: Type I and Type II. According to the standards put forth by AICPA, Type I reports document the independent auditors’ opinion regarding the design of controls as of a set date. Type II reports go further; they include Type I criteria and audit the effectiveness of the controls over a minimum six-month period. AISN, for example, has a SSAE 16 Type II report because it provides the highest level of assurance.
So what’s new about the SSAE 16? Like the SAS 70, SSAE 16 still reports on controls related to security, availability, confidentiality, processing integrity and privacy. However, the primary difference between SAS 70 and the SSAE 16 is that SSAE 16 includes a new attest standard (not a new audit standard), which requires the auditor to include in its report the hosting company management’s written description (“attestation”) of the design and operating effectiveness of the internal controls to be audited and the suitable criteria used for its assessment. A similar requirement is made of any subservice organization (for example, a data center) involved in the audit.
How will SSAE 16 impact the hosting industry? Most top-tier hosting providers have already implemented internal controls around security, availability, confidentiality, processing integrity and privacy. They have also likely gone through the SAS 70 auditing process more than a few times. For them, transitioning to the higher SSAE 16 standard will be painless. However, the transition may prove more challenging for competitors that may have set less stringent controls during previous SAS 70 audits.
What does this mean for customers or investors with Sarbanes-Oxley Act (SOX) requirements? In a word, accountability. The fact that a hosting company’s management must now make certain written attestations about their internal controls – and then include those in the independent auditors’ report – further underscores that they must take full responsibility for the controls in operation.
In this way, SSAE 16 is better aligned with SOX, which primarily impacts publicly traded companies and those who service them. SOX mandates that a publicly traded company’s management team be held accountable for the veracity and completeness of its financial report attestations. To achieve this, the company must have quality internal controls in place.
By using an SSAE 16-compliant hosting provider, the company is assured that the hosting company, which is more than likely hosting their mission-critical data, also maintains the same level of accountability. The independent auditor’s SSAE 16 report essentially saves the SOX-affected customer the trouble of auditing the hosting company’s critical internal controls for SOX compliance.
What is the future of SSAE 16? We at AISN applaud the transition from SAS 70 to SSAE 16. It represents a more meaningful audit standard that:
- achieves parity with international standards and helps us better meet our international customers’ needs,
- enhances our ability to provide customers with assurances about our internal controls, and
- sets higher the bar for accountability and professionalism within our industry.