Effective in June of 2011, the old SAS 70 auditing standards are being replaced with the SSAE 16. This new standard has been developed to closely align with the international version (ISAE 3402) that is being rolled out concurrently. Why the change now?
Old Standards Created Too Many Loopholes
One reason is that the previous standard is being used in ways its developers never intended. According to Mike Klein from Online Tech, the SAS 70 has long been used by data centers to provide assurance to customers that their facility and operating systems are secure and properly run. However, the standard is really meant to be used for evaluating financial reporting practices.
Data centers have apparently been making claims that they are “SAS 70 certified” when, in fact, no such certification exists. They might claim truthfully to be SAS 70 audited, but that doesn’t really tell you how well they fared in the audit process. A data center could simply set its own standards and meet them to claim that it is compliant.
The obvious solution to these problems was to create a set of standards that include more accurate assessments – and that can be used for highly targeted industries. The SSAE 16 will require auditors to collect a written statement from management at the facility being audited. This assertion document will outline the design and operational effectiveness of relevant controls. SOC 1 (Service Organization Control) reports will be issued in two tiers. Type 1 will simply offer the auditor’s opinion regarding the assertions provided by management. Type 2 will entail actual monitoring of the system over a time period of 6-12 months. However, companies that are audited in this way will still not be “certified” under SSAE 16.
New Standards Factor in Data Center Requirements
Data centers will be able to take an additional step toward achieving the highest standards of compliance. SOC 2 and 3 reports offer a way for data centers to be compared to actual industry benchmarking standards. An audit of this type would cover criteria such as availability, processing integrity, security, and privacy. With an SOC 3 report, a summary of a company’s audit will be available for the general public to increase credibility. The SysTrust seal can be used by service organizations that successfully complete the SOC 3 process. This is a boon for SaaS providers since they will now have a valid “seal of quality” to display to clients.
At Emerald Software Group, we’re evaluating the ISAE 3402 and are moving toward achieving this standard later this year. Stay tuned for more information as it becomes available.