On Compliance: What SSAE 16 is About
SAS 70 has been touted on a number of websites for businesses offering data center services. It has been the equivalent of the “Good Housekeeping” stamp of approval since its inception as a cornerstone audit in 1992.
Goodbye SAS 70, Hello SSAE 16:
SAS 70 is being retired this year. In its place AIS has achieved compliance for the SSAE 16 SOC 1 as well as the AT 101 SOC 2 reports in order to provide assurance to customers assurance of appropriate controls.
The real difference between SAS 70 and the new engagements is that the new reports have an attestation component, which is to say AIS management will be required to provide a written assertion regarding the controls designs, objectives and implementation. Basically, AIS asserted it has X controls which provides Y functionality or service, the auditor checked that X exists, is functioning properly for the length of the sampling period, and is the proper control to provide the specific solution. AIS management is then required to sign written assertions attesting that they agree with the final document and conclusions.
These changes bring the reporting much closer to a Sarbanes Oxley style reporting structure as well as moving the American Institute of Certified Professional Accountants standards closer to the International Federation of Accountants standards.
AIS has already begun the process and is in the sampling period now for the SSAE 16 SOC 3 and HIPPA reports.
The AIS controls matrix covers all aspects of the business, including (but certainly not limited to):
- Service Delivery
- Solutions Design
- Computer Operations
- Logical and Physical Security
- Change Management
- Incident Management
- Disaster Recovery / Business Continuity Planning
For potential clients and their auditors, this represents a significant upgrade over the older SAS 70 reporting. The attestation requirement forces senior management to more fully commit to the existence and status of controls, and provides improved assurance that the required controls truly exist as described.