After completing a rigorous audit from a certified independent CPA, Colocation America is proud to have 22 SSAE 16 certified data centers operating in full compliance to the new SSAE 16 compliance standards. With this new certification, all servers hosted with Colocation America are secured through the implementation of IT controls that adhere to the new SSAE 16 compliant hosting guidelines. Technicians working within the SSAE 16 data center facility operate according to a strict internal process to ensure that all servers are managed according. The new guidelines set forth by the American Institute of Certified Public Accountants (AICPA) are the standard that many colocation providers must comply with but many are unsure about SSAE 16. There is much confusion as to which reporting standards a business should ask for from its data center service provider so here is a basic rundown for each type of SSAE 16 reports.
What Is SSAE 16?The Statement on Standards for Attestation Engagements No. 16, or simply SSAE 16, is a set of guidelines for reporting on the level of controls at a service organization. The guidelines were created by the AICPA and went into effect June 15, 2011; replacing SAS 70 as an auditing standard for service organization. The new standard of reporting on internal controls of a service organization was drafted in order to update organizations in the US service industry to reporting standards that complies with the International Standard on Assurance Engagements No. 3402 (ISAE 3402). There are two types of reports for SSAE 16 along with the addition of a new reporting framework, the Service Organization Control (SOC).
What Is SSAE 16 Type I and Type II?An SSAE 16 Type I and Type II report is an effective way to communicate information about the controls a service organization has on its system. Both reports detail the opinion of an independent service auditor’s report on the organization’s system and the service organization’s description of the system. However, any information provided by the independent auditor in regards to testing the service and its operating effectiveness are optional for a Type I report. A Type I report is geared towards service organizations that had not gone through a SAS 70 audit and would like to be set on its own path to a Type II reporting standard. The report covers the service organization’s controls of its system for a specific point in time. A Type II report details the testing done on the service organization’s controls and its effectiveness. The audit usually last over a minimum period of six months which is stated in the report.
What Is SSAE 16 Compliance?With the new framework of the SOC reports added to the SSAE 16 standards, SSAE 16 can now replace SAS 70 for service organizations to report on its internal business practices and system controls. The SOC reporting framework consists of 3 types of reporting standards; the SOC 1, SOC 2, and SOC 3. SOC 1 reporting uses the SSAE 16 professional standard and is more geared towards reports on the Internal Control over Financial Reporting (ICFR). It is designed to be a reporting standard for a business’ financial reports, highlighting its financial accounting and reporting practices. Although it is similar to the SAS 70 reports it is not relevant to service organizations like data centers which manage the IT infrastructure of multiple businesses. SOC 2 and SOC 3 reports are issued under the guidelines set forth by the AT Section 101 attest standard. The report details the service organization’s internal system architect focusing on the following criteria:
- Processing Integrity