March 1, 2023
Two of the most common audit standards for data center and cloud service providers are SOC 1 and SOC 2, with the SSAE 16 Type II control containing both of them. These standards are created by the Auditing Standards Board (ASB) of the American Institute of CPAs in order to assure the customers of service providers that controls around services are operating securely and effectively.
Every so often, ASB revises these standards. In 2017, the SSAE 16 (which stands for Statement on Standards for Attestation Engagements — yes, these audits are frequently a mouthful) has been replaced by SSAE 18 for all audits dated May 1st and later.
Let’s take a look at why data centers and cloud providers certify under SOC 1, SOC 2, and SSAE — and see how the SSAE 18 changes might impact them in 2017.
SOC 1 places its emphasis on service provider operations that can affect customer financials, including business processes and IT systems.
One of the reasons SOC 2 was added was due to the proliferation of cloud computing services and the trend for businesses to outsource their IT infrastructure to service providers. This created liability concerns that are addressed by the audit controls.
Both can have a Type I or Type II. Type I certifies a single moment in time, while Type II describes general controls and business operations and stands for generally one year in duration.
The audits include an opinion letter describing the overall report; management’s assertion that the report is accurate; a description of the service provider’s system including policies, procedures, employees, processes, and operations; a description of the tests of the described controls; and a catch-all “other information” section for areas not tested like disaster recovery.
In layman’s terms, SSAE = SOC (which stands for Service Organization Control, if you’re wondering). These controls are certified via third party audit and are essentially a stamp of approval proving that service providers meet minimum standards of data handling, management, availability, security, and so forth.
.png){kind=logo}
We're here to help you tackle what's next in your digital journey.
