Going from SAS 70 to SSAE 16 Financial Reporting Standards

***SSAE 16 is now SSAE 18 – This is just for history purposes.***

June 2011 brought the end of the SAS 70 report for data center reporting standards. Corporations that abide by the Sarbanes-Oxley regulations are now limited to a few reports in order to judge the security of a data center’s process in handling sensitive financial information. The Statement on Standards for Attestation Engagements No. 16 or SSAE 16 for data center, is the reporting standards set to take over SAS 70. SSAE 16 is geared towards the internal controls over financial reporting (ICFR) which has little to do with the services offered by data centers. In an effort to improve on the SSAE 16 reporting guidelines for data centers, the American Institute of Certified Public Accountants (AICPA), created the Service Organization Controls (SOC) reports as new options for corporations concerned about the security of their financial data.

What Types of SOC Reports are there?

There are three different types of SOC reports; SOC 1, SOC 2, and SOC 3. SOC 1, based on SSAE 16 and SAS 70, provides the standard reports needed by customers using data center services for their ICFR needs. The report is only helpful to those clients that uses dedicated servers hosted within the data center facility to do their financial reporting.

SOC 2 and SOC 3 on the other hand are reports on the integrity of the data center’s network infrastructure. These two reports were made to ensure a customer of data center services that the facility is secure against unauthorized access, have the resources and system available according to the report’s specification, ensure accurate processing, is completely confidential and protected. Any private information that is collected from the hosted servers are encrypted, handled, and removed according to the guidelines of the Generally Accepted Privacy Principles (GAPP) of the AICPA. However, SOC 3 only provides general information on how well a data center facility meets the criteria set forth by the AICPA without any details so it is best served as a marketing gimmick.

What Type of Security Report is Right for My Business?

With the transition from SAS 70 to SSAE 16 reporting standards, confusion among which reports to request for your business is bound to happen. Choosing which type of SSAE 16 reports for your company may bring back memories of those multiple choice questions on final exams that you only vaguely understand. Many corporations today choose the SSAE 16 (SOC 1) report because of its similarity to a SAS 70 report but as it focuses more on the financial reporting process and not the data security of the network, its relevancy is limited to a few corporations. The new options for reports can be a headache to figure out which is why it’s best to have a chat with your data center provider and auditor to find out which report options will be most relevant to your company.