Update: SSAE 16 replaces SAS 70 As Reporting Standard SAS 70 reporting standards were effectively replaced by SSAE 16 audit. The AICPA (America Institute of Certified Public Accountants) issued the draft in April of 2010. The Statement on Standards for Attestation Engagements No.16 (SSAE 16) outlines the current set of reporting standards that service organizations must adhere to in order to be considered SSAE 16 compliant. The changes between SAS 70 and SSAE 16 requirements are as follows:
- Service organizations are now required to supply a written statement outlining the effectiveness of controls within their respective organization(s).
- SSAE 16 is not an Audit, but rather, a written attestation from management outlining which quality controls are present. This differs from an audit which typically deal with the accounting side of an organization.
- SSAE 16 requires a detailed description of the system rather than just simple controls. “System” is stressed but not “controls”, due largely in part to preference of practitioners to live up to international reporting standards.
- SSAE 16 is viewed more as auditor-to-auditor communication method rather than defined standard organizations must live up to.
What is SAS 70?The State on Auditing Standards No. 70 (SAS 70) Type II certificates were awarded to data centers that adhere to the industry’s strictest criteria. SAS 70 New Name: SAS 70 is now defunct and operating under SSAE 16. If a data center still lists a SAS 70 certification, it may be antiquated. But the requirements still hold their value, which are below. In light of Colocation America’s dedication to data security, we aim to sustain the SAS 70 Type II standards in our data centers. In combination with the SAS 70 data center certification, Colocation America also provides PCI compliance and HIPAA compliant data center hosting. Conducting your own audits is no longer necessary when working with a SAS 70 certified data center. The State on Auditing Standards No. 70, also known as SAS 70, was developed by the American Institute of Certified Public Accountants. AICPA is an association of more than 370,000 CPA members in 128 countries, spanning from industries in public practice, education, government, student affiliates and international associates. It determines the profession and U.S. auditing standards for audits of non-profit organizations, federal, state, and local governments, and private companies. Founded with the basis of professional ethics and public interest, the AICPA issues out the SAS 70 Certification with confidence and authority to worthy institutions.
What Are the SAS 70 Requirements?A SAS 70 security audit is a detailed report by a certified public accountant (CPA) or a licensed public accounting firm. Either the CPA or the firm must perform the audit according to specific industry standards regarding the planning, execution, and supervision of the audit. These SAS certifications guidelines were established by the AICPA and firms are required to undergo peer reviews to ensure that the audit’s integrity remains intact. Non-CPA professionals that are relevant to the business industry may be used to perform the report but the final report requires the review and signature of a licensed CPA. The SAS 70 certificate is formatted to permit auditors to review the procedures, established by service organizations, referred to as controls on the report. Independent auditors evaluate the controls activities and processes to make sure they are legitimate and regulated.
Type I and Type II AuditsAccording to the SAS 70 website: Type 1 Reports Covers
- Independent service auditor’s report (i.e. opinion)
- Service organization’s description of controls.
- Both Points in the Type 1 report
- Information provided by the independent service auditor; includes a description of the service auditor’s tests of operating effectiveness and the results of those tests
- Other information provided by the service organization (e.g. glossary of terms).