Guidelines on becoming SSAE 16 Certified

After completing a rigorous audit from a certified independent CPA, Colocation America is proud to have 22 SSAE 16 certified data centers operating in full compliance to the new SSAE 16 compliance standards. With this new certification, all servers hosted with Colocation America are secured through the implementation of IT controls that adhere to the new SSAE 16 compliant hosting guidelines. Technicians working within the SSAE 16 data center facility operate according to a strict internal process to ensure that all servers are managed according. The new guidelines set forth by the American Institute of Certified Public Accountants (AICPA) are the standard that many colocation providers must comply with but many are unsure about SSAE 16. ssae 16 logoThere is much confusion as to which reporting standards a business should ask for from its data center service provider so here is a basic rundown for each type of SSAE 16 reports.

What Is SSAE 16?

The Statement on Standards for Attestation Engagements No. 16, or simply SSAE 16, is a set of guidelines for reporting on the level of controls at a service organization. The guidelines were created by the AICPA and went into effect June 15, 2011; replacing SAS 70 as an auditing standard for service organization. The new standard of reporting on internal controls of a service organization was drafted in order to update organizations in the US service industry to reporting standards that complies with the International Standard on Assurance Engagements No. 3402 (ISAE 3402). There are two types of reports for SSAE 16 along with the addition of a new reporting framework, the Service Organization Control (SOC).

What Is SSAE 16 Type I and Type II?

An SSAE 16 Type I and Type II report is an effective way to communicate information about the controls a service organization has on its system. Both reports detail the opinion of an independent service auditor’s report on the organization’s system and the service organization’s description of the system. ssae 16 compliant hosting However, any information provided by the independent auditor in regards to testing the service and its operating effectiveness are optional for a Type I report.  A Type I report is geared towards service organizations that had not gone through a SAS 70 audit and would like to be set on its own path to a Type II reporting standard. The report covers the service organization’s controls of its system for a specific point in time. A Type II report details the testing done on the service organization’s controls and its effectiveness. The audit usually last over a minimum period of six months which is stated in the report.

What Is SSAE 16 Compliance?

With the new framework of the SOC reports added to the SSAE 16 standards, SSAE 16 can now replace SAS 70 for service organizations to report on its internal business practices and system controls. The SOC reporting framework consists of 3 types of reporting standards; the SOC 1, SOC 2, and SOC 3. SOC 1 reporting uses the SSAE 16 professional standard and is more geared towards reports on the Internal Control over Financial Reporting (ICFR). It is designed to be a reporting standard for a business’ financial reports, highlighting its financial accounting and reporting practices. Although it is similar to the SAS 70 reports it is not relevant to service organizations like data centers which manage the IT infrastructure of multiple businesses. SOC 2 and SOC 3 reports are issued under the guidelines set forth by the AT Section 101 attest standard. The report details the service organization’s internal system architect focusing on the following criteria:
  • Security
  • Availability
  • Processing Integrity
  • Confidentiality
  • Privacy
Due to the rise in data center hosting, SaaS, and cloud hosting, the new SOC framework was put in place by the AICPA in order to separate service organizations into different categories. ssae 16 report In short, an SOC 1 report detail the controls over financial reporting of an organization while SOC 2 and SOC 3 reports are about the internal controls of the system that host the financial accounts and records of an organization. Both SOC 2 and SOC 3 reports are more relevant for a business that are looking for a detailed reports over the internal controls a data center provider have set in place to protect against security breaches and prevention of data corruption.

Still Confused?

We here at Colocation America are ready to help you figure out your financial reporting needs. Corporations that abide by the Sarbanes-Oxley regulations will have to get a thorough understanding of the security practices put in place that protect their dedicated servers. Figuring out which reports would provide the most relevant information is a key part in understanding the security of your sensitive business data. We will be happy to discuss with you and your auditor which type of reports you need to make sure that you (and us) stay in compliance with the operating standards of a good business. In the meantime you can head on over to the SSAE 16 hosting resource guide to find multiple white papers that will help you get on the right track.