Most large Data Center and Co-location providers that have Fortune 500 customers have been providing SAS 70 reports for several years.
Now that SSAE 16 has been announced as the “replacement” for SAS 70, most all of them are undergoing SSAE 16 reviews.
I am continually amazed by how adamant many auditors and IT controls people are about why a data center or co-location provider needs an SSAE 16 audit. I agree that DCs provide certain fundamental general controls that may impact the systems that are maintained there.
But even those general controls do not constitute Internal Controls over Financial Reporting (ICFR) which is clearly a requirement for performing a SOC 1 (SSAE 16) review.
With few exceptions, DCs and co-location centers do not WANT to be able to alter the processing of their customer’s transactions and do everything in their power to avoid direct access with their systems.
So what exactly is ICFR? The SEC are the overlords of Sarbanes-Oxley compliance and the purveyors of wisdom regarding ICFR. They define ICFR as:
“A process designed by, or under the supervision of, the registrant’s principal executive and principal financial officers, or persons performing similar functions, and effected by the registrant’s board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that:
(1) Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the registrant;
(2) Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the registrant are being made only in accordance with authorizations of management and directors of the registrant; and
(3) Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the registrant’s assets that could have a material effect on the financial statements.“
Now that’s a very long definition but important to understand what ICFR is. Several key phrases stand out in that definition noting policies and procedures that:
- “Pertain to maintenance of records” – does a data center maintain records? No. A DC maintains an environment of physical security, environmental controls, and connectivity. The user organization is responsible for maintaining the records.
- “Provide reasonable assurance that transactions are recorded as necessary” – Does a DC provide assurance? No, the user organization does that.
- “Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of… assets” – Does a DC provide this assurance? No, not unless they are providing managed services in addition to basic data center services.
So where is the link to ICFR? When examining the types of controls that a typical DC or colo facility provides, there is no relevant link to ICFR.
“So Barton, are you saying that user organizations shouldn’t be concerned with controls at their third party colo or DC?” Absolutely not. I am saying that a SOC 1 SSAE 16 report is not the right answer for a colo or DC. The more appropriate SOC report would be a SOC 2 report.
SAS 70 (and subsequently SSAE 16) were never meant to be a report on IT general controls. They became popular for DCs and colos because auditors didn’t know of any alternatives to SAS 70 for understanding controls at service organizations.
Now that the AICPA is promoting SOC 2 as an alternative to SAS 70 for understanding IT general controls, there is no reason for a DC or colo to undergo an SSAE 16 review.
For most DCs and colos, the services provided are no different from those provided by the building management companies for large office buildings throughout the country. Building management companies lease space.
That space includes physical security and environmental controls. They don’t typically provide connectivity but there may be some that do. DCs and colos lease space that includes physical security, environmental controls, and connectivity. Those services do not constitute ICFR under the SEC definition.
So don’t ask your DC or colo provider to give you an SSAE 16 report. Instead, look into an alternative like the SOC 2 or SOC 3 report to get an understanding of the IT General Controls they provide.
Help Support Infosec Island by Tweeting and Stumbling our Articles - and join our LinkedIn Group HERE - Thanks!