Why Data Centers Don't Need SSAE 16

Wednesday, August 24, 2011

david barton


Most large Data Center and Co-location providers that have Fortune 500 customers have been providing SAS 70 reports for several years. 

Now that SSAE 16 has been announced as the “replacement” for SAS 70, most all of them are undergoing SSAE 16 reviews.  

You can check my prior blogs SAS 70 is Dead and SSAE 16 is the New SAS 70 for more on the history of how we got here and the fact that “the customer is always right”.

I am continually amazed by how adamant many auditors and IT controls people are about why a data center or co-location provider needs an SSAE 16 audit. I agree that DCs provide certain fundamental general controls that may impact the systems that are maintained there. 

But even those general controls do not constitute Internal Controls over Financial Reporting (ICFR) which is clearly a requirement for performing a SOC 1 (SSAE 16) review. 

With few exceptions, DCs and co-location centers do not WANT to be able to alter the processing of their customer’s transactions and do everything in their power to avoid direct access with their systems.

So what exactly is ICFR? The SEC are the overlords of Sarbanes-Oxley compliance and the purveyors of wisdom regarding ICFR.  They define ICFR as:

“A process designed by, or under the supervision of, the registrant’s principal executive and principal financial officers, or persons performing similar functions, and effected by the registrant’s board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that:

(1) Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the registrant;

(2) Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the registrant are being made only in accordance with authorizations of management and directors of the registrant; and

(3) Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the registrant’s assets that could have a material effect on the financial statements.“

Now that’s a very long definition but important to understand what ICFR is.  Several key phrases stand out in that definition noting policies and procedures that:

  • “Pertain to maintenance of records” – does a data center maintain records? No. A DC maintains an environment of physical security, environmental controls, and connectivity.  The user organization is responsible for maintaining the records.
  • “Provide reasonable assurance that transactions are recorded as necessary” – Does a DC provide assurance?  No, the user organization does that.
  • “Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of… assets” – Does a DC provide this assurance?  No, not unless they are providing managed services in addition to basic data center services.

So where is the link to ICFR?  When examining the types of controls that a typical DC or colo facility provides, there is no relevant link to ICFR.

“So Barton, are you saying that user organizations shouldn’t be concerned with controls at their third party colo or DC?”  Absolutely not.  I am saying that a SOC 1 SSAE 16 report is not the right answer for a colo or DC.  The more appropriate SOC report would be a SOC 2 report.

SAS 70 (and subsequently SSAE 16) were never meant to be a report on IT general controls.  They became popular for DCs and colos because auditors didn’t know of any alternatives to SAS 70 for understanding controls at service organizations.  

Now that the AICPA is promoting SOC 2 as an alternative to SAS 70 for understanding IT general controls, there is no reason for a DC or colo to undergo an SSAE 16 review.

For most DCs and colos, the services provided are no different from those provided by the building management companies for large office buildings throughout the country.  Building management companies lease space. 

That space includes physical security and environmental controls.  They don’t typically provide connectivity but there may be some that do.  DCs and colos lease space that includes physical security, environmental controls, and connectivity.  Those services do not constitute ICFR under the SEC definition.

So don’t ask your DC or colo provider to give you an SSAE 16 report.  Instead, look into an alternative like the SOC 2 or SOC 3 report to get an understanding of the IT General Controls they provide.


Help Support Infosec Island by Tweeting and Stumbling our Articles - and join our LinkedIn Group HERE - Thanks!

Possibly Related Articles:
Information Security
SAS70 Security Audits SSAE 16 Data Center SEC ICFR AICPA
Post Rating I Like this!
Hedge Hog This article is grossly inaccurate and should be removed. If not removed, it should be fully noted that the the author is not a CPA, and is speaking outside of his area of expertise. The American Institute of Certified Public Accountant's guide for the conduct of SSAE 16 (SOC 1) examinations specifically states that SSAE 16 is applicable to general IT controls, which includes those of a third party data center (see excerpts below). There is no technical support for this author's opinion. Rather, the AICPA guide contradicts this entire premise only six paragraphs into it's new audit guide states when it states (my emphasis added):

Par. 1.06 "Following are some additional examples of service organizations that perform functions that are relevant to user entities’ internal control over financial reporting:
Application service providers (ASPs). ASPs provide packaged software applications and a technology environment that enables customers to process financial and operational transactions. An ASP may specialize in providing a particular software package solution to its users, MAY PROVIDE SERVICES SIMILAR TO TRADIATIONAL MAINFRAME DATA CENTER SERVICE BUREAUS, may perform business processes for user entities that they traditionally had performed themselves, or may provide some combination of these services. As such, an ASP may be a service organization if it provides services that are part of the user entity’s information system."

The fact of the matter is that a data center that hosts systems likely to be relevant to the financial reporting controls of its customers may be included as a subservice organization within a service organization's report....and may also elect to apply SSAE 16 to it's services so as to avoid multiple user auditor assessments, resulting in it's own stand alone report. SOC 1, 2 and 3 are not mutually exclusive and exist to meet the reporting needs of various types of customers. It is entirely possible, if not likely, that most major data centers are candidates for both SOC 1 and SOC 2....and they are far more likely to be asked for an SOC 1 report before an SOC 2 report.

There is no technical support that cites an SOC 2 report as an acceptable substitute for an SOC 1 / SSAE 16 report. So when the author says "don’t ask your DC or colo provider to give you an SSAE 16 report. Instead, look into an alternative like the SOC 2 or SOC 3 report to get an understanding of the IT General Controls they provide."...I hope you aren't a user organization or their financial statement auditors b/c SOC 2 will be useless for your purposes. A data center that relies on that recommendation does so at its own risk, to put it mildly.


Per par. 4.50 of the authoritative AICPA Guide: Service Organizations - Applying SSAE 16, Reporting on Controls at a Service Organization (SOC 1) [May 2011]:

"In addition, the control objectives would include general computer control objectives that are necessary to achieve the application control objectives (related to classes of transactions and events as well as account balances) and are therefore likely to be relevant to controls over financial reporting at user entities. General controls are assessed in relation to their effect on applications and data that are likely to be relevant to financial reporting at user entities. General control objectives and related controls are typically reported separately from application controls."
Douglas Barbin I agree with the citations and analysis from "Hedge Hog." I am a CPA and work for a firm that specializes in this and audits many of the leading global data centers.

The facts are:
1. Data centers that host financial applications sit in the chain of controls that make up to totality of an end-user’s controls over financial reporting.
2. Any financial auditor who is of the same opinion for their client will expect an SSAE 16 or SOC 1 report and will not accept a SOC 2. The last thing a data center or any hosting provider wants is to be in a situation where they have provided the wrong report.

SOC 2 has its place and we have worked with companies in the social media, messaging, and marketing spaces that do not impact financial reporting making SOC 2 completely appropriate.

Data canters are different as they often provide the physical and environmental shell around these controls. For that reason, and the citations above, SSAE 16 is appropriate.

I advise any provider to speak with an experienced CPA on this topic. It is too important to screw up.

Director at BrightLine
Hedge Hog That's true. People (normally info sec consultants with a vendetta against SSAE 16) keep writing ridiculous articles on this topic. If keeping it posted may dissuade others from making the same mistake, I agree that it should not be removed.

BTW, the author rendered an editorial opinion without any citations from SSAE 16 or the related audit guide. I presented relevant citations from the authoritative guidance on the matter which demonstrate his opinion to be wrong. These are indisputable mandates that an entire profession operates under and should not be characterized as my opinion.
Daniel Vizcayno, CISA, CISM, CISSP Good article but i dont agree nor disagree. The most important rule to remember if your organization is under regulation or handling Personal Identifiable Information (PII) then all means of controls assurance should be available. Orgnization who own the data is always responsible and liable. Having control assurance report such SAS or SSAE will save your orgization from tons of trouble.
david barton First let me state that I am NOT speaking outside my area of expertise. Although I am not a CPA, I am a CISA, CRISC, and have conducted a large number of SAS 70 and other compliance audits over my 25 plus year career as an IT Auditor working for CPA firms and in industry.

Second, while Hedge Hog is correct in stating that SSAE 16 guidance states that general controls are applicable, his reference to ASP services is not the type of service I am referring to. My point is that if a data center is not directly involved in the processing of the financially relevant transactions, then a SOC 2 report is more appropriate.

Section 1.01 of the AICPA Guide: Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2) also provides examples of applicable services, including:
"Enterprise IT outsourcing services-Managing, operating, and maintaining user entities' IT data centers, infrastructure, and application systems and related functions that support IT activities, such as network, production, security, change management, hardware, and environmental control activities."

Table 4-3 in the SSAE 16 guidance lists examples of general computer controls. In looking at that list of examples, a typical data center or colo is only responsible for physical security and network infrastructure. All the rest of the example controls are managed by the user organization.

A SOC 2 report utilizes a list of pre-defined criteria for security and availability (the two Principles most applicable to data centers). An SSAE 16 report has no such pre-defined criteria and many of the SAS 70 / SSAE 16 reports for data centers that I have read have significant gaps in the coverage of both security and availability principles.

So take a deep breath, re-read my post, and understand my point. Again, it is not that general controls should not be examined as part of a financial statement audit. My point is that a SOC 2 report is more appropriate, given the low impact and responsibility for key ICFR that a data center has.
Chris Schellman, CPA, CISSP, PCI QSA With all due respect, your article directly conflicts with the SSAE 16 standard, the SOC 1 and SOC 2 audit guides, the position of the world’s largest accounting firms, and the position of industry leading data centers. I have extensive knowledge of the SOC 1 and SOC 2 guidance and have managed ~1,000 SAS 70 audits and nearly 100 SSAE 16 examinations. I can find nothing in the guidance or my professional experience that supports your position.

Your clarification states “My point is that a SOC 2 report is more appropriate, given the low impact and responsibility for key ICFR that a data center has.” “More appropriate” implies a belief that SSAE 16 is appropriate, but to a lesser degree. However, the actual article makes statements like “a SOC 1 SSAE 16 report is not the right answer for a colo or DC” and “there is no reason for a DC or colo to undergo an SSAE 16 review”. Are you now saying that SSAE 16 is applicable to such services? (Hint: The correct answer is “yes” if, per the first paragraph of SSAE 16, the organization provides “services to user entities when those controls are likely to be relevant to user entities’ internal control over financial reporting”.)

Regardless, it is not a matter of “more appropriate”. There is no ambiguity about the applicability of the standard and there are no substitutes for the purposes of financial reporting. The SOC 2 guide confirms this at paragraph 1.23, which states:

“A service organization’s controls may be relevant to a user entity’s internal control over financial reporting and also to the trust services principles. This guide is NOT intended to permit a SOC 2 report to be issued that combines reporting on a service organization’s controls relevant to user entities’ internal control over financial reporting with reporting on controls relevant to the trust services principles. A service organization may engage a service auditor to separately perform an engagement that addresses a service organization’s controls related to user entities’ internal control over financial reporting. If a service auditor is engaged to perform both a SOC 1 and SOC 2 engagement, certain testing performed in either engagement may provide evidence for the other engagement.”

Translation: A service organization may need both, but cannot use an SOC 2 report as a substitute for an SOC 1 examination. By extension, a user entity and a user auditor (under the SOC 1 definition) should not request and cannot rely on an SOC 2 report for the purposes of a financial statement audit.

I understand the general point you are trying to make; however, I think you should conceded the instances when SSAE 16 is appropriately applied and the reasons an organizations might benefit from SOC 2. Anything that alludes to SOC 2 as an alternative to SOC 1 is not accurate. I assume that we are in agreement on that point.

Chris Schellman
BrightLine CPAs & Associates, Inc.
david barton Chris,
Thanks for remaining professional and understanding my point without resorting to personal attacks under the anonymity of a screen name.

I absolutely agree that under the current standards, a SOC 2 report cannot be relied upon for the purposes of a financial statement audit.

I believe the reason the AICPA does not allow a SOC 2 report to be used in lieu of a SOC 1 is for those service organizations that provide more than basic data center type services. Obviously a TPA or Payroll processing company could not substitute a SOC 2 for a SOC 1 because there are operational controls not covered by the SOC 2 framework that directly impact ICFR.

Data center controls are pretty consistent and are easily covered by SOC 2 framework. Because SOC 1 reports don't have any kind of baseline controls framework, the SOC 1 reports that I have read vary greatly in their description of the controls as well as the level of testing performed. Many fail to describe basic controls that should be evaluated. As a result, the reader has to know enough to ask "what's missing"?

That is why I believe that a consistent set of baseline controls as part of a review (ala SOC 2) is better than the free for all we currently have with SOC 1. There are far too many DCs getting shoddy SOC 1 reports as a cost of doing business and then proclaiming themselves "SSAE 16 Certified".

Until the AICPA recognizes the inconsistency relative to data centers and SOC reporting, the only legitimate alternative that these service organizations have is to get two reports. And I know many firms that are only too happy to charge for both.

Jon Long David, I trust the taste of victory is sweet for you after the release of the article from Data Center Knowledge (http://bit.ly/A9uMW0). Keep up the good work. Gartner's prediction is close to becoming a reality (http://bit.ly/wEt2i5).
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.