When it comes to cloud computing data center audits, everyone seems to be jumping on the SSAE 16 bandwagon. Indeed, SSAE 16 is a relatively new audit standard that essentially replaces the aging SAS 70 standard. Scan the market and you’ll find numerous cloud computing companies and cloud services providers announcing SSAE 16 compliance since January 1, 2012. The big question: Will SSAE 16 really give customers peace of mind as they evaluate cloud data center partners?
Companies that have made SSAE 16 compliance announcements so far in January 2012 include:
- 1102 Grand, which offers colocation facilities in Kansas City.
- Agile-1, which provides managed services for workforce solutions.
- CoreXchange, which has multiple Dallas data centers.
- ePlus Inc., an IT service provider that has close relationships with HP, Cisco, VMware, NetApp, Microsoft, Symantec, IBM and Lenovo.
- KineticD, which offers cloud backup and disaster recovery services for small and midsized businesses (SMBs).
- Lucernex Technologies, which offers cloud-based real estate software applications.
- OneNeck IT Services, the IT outsourcing specialist and managed services provider in Arizona.
- Open Access Technology International Inc. (OATI), which develops smart grid solutions for the energy industry.
- Skytap Inc., which develops self-service cloud automation solutions.
- ViaWest, one of the largest privately-held data center, cloud and managed services providers in North America.
- Windstream Hosted Solutions, which said more than a dozen of its U.S. data centers comply with SSAE 16.
Potential SSAE 16 Benefits
Generally speaking, SSAE 16 audits cover a lengthy list of requirements. But the SSAE 16 Resource Center points to five key benefits of an audit, noting that SSAE 16 ensures data centers have:
- sufficient data and power redundancy;
- appropriate physical security (security guards, biometric scanning, video cameras, etc.);
- monitors for excessive temperature fluctuations;
- timely alert tracking and reviews; and
- proper fire and water detection (and protection) systems.
SSAE 16 Problems and Limitations?
That list above sounds very promising. But SSAE 16 audits have their share of critics. In a recent editorial, Online Tech COO and President Mike Klein pointed out a range of potential problems with SSAE 16, alleging that the standard has set back the audit industry by 20 years. Klein’s company focuses on colocation services, managed services and private cloud services.
I can’t endorse or refute the value of SSAE 16 audits, since I have no direct experience with the audits. But I will say this: A growing list of data center providers are jumping on the SSAE 16 audit bandwagon. End-customers could be the long-term winners. But the biggest short-term winners are the folks performing all the audits.
The 
It is a shame because SSAE16 does not provide assurance about security, availability, processing integrity, confidentiality, or privacy. In addition, their SSAE16 reports do not comply with the attestation standards because, like SAS70, SSAE16 reports cannot contain non-ICFR controls(internal controls over financial reporting). Please see this article published today, bit.ly/A9uMW0, and also check out my blog by Googling “risk assurance guy”
Joe,
With all due respect, I have to take issue with your statement that “Generally speaking, SSAE 16 audits cover a lengthy list of requirements”. The biggest problem with SSAE 16 audits is that there ARE NO REQUIREMENTS. Each service organization is free to develop their list of controls that they feel are relevant to their customers’ financial statement auditors. SSAE 16 is already being misapplied in the same way that SAS 70 was misapplied. The new SOC 2 audit standard is a much better vehicle for examining data center controls because there is a pre-defined list of controls criteria that must be examined. SSAE 16 is the wrong answer to the right question.
Jon, David:
Thank you both for the additional insights. David, I will give SOC 2 a closer look. In the meantime, do you think SSAE 16 has any value to customers who are evaluating cloud partners and data center partners?
-jp
Joe,
Yes, SSAE 16 can provide good insight into controls at cloud providers. But you have to read the report very carefully and ask yourself “what’s missing?”. Getting a complete copy of the report as a prospective customer may be an issue, since officially the report is not supposed to be released to prospective customers. Hard to believe, I know.
-db
Jon is right.
http://www.aicpa.org/InterestAreas/FRC/Pages/RecentlyIssuedTechnicalQuestionsandAnswers.aspx
SSAE 16 excludes everything *but* financial reporting assertions.
http://www.aicpa.org/InterestAreas/FRC/DownloadableDocuments/TIS_Sections/TIS_Section_9520.pdf
These companies should have a SOC 2/3 – or a generic AT 101 report.
Statement on Standards for Attestation Engagements No. 16, Reporting on Controls at a Service Organization
“This section addresses examination engagements undertaken by a service auditor to report on controls at organizations that provide services to user entities when those controls are likely to be relevant to user entities’ internal control over financial reporting.”
ob1knb: Thanks for the informative tips. I’ll keep them in mind as we plan additional SSAE 16 coverage.
-jp
This is an interesting article in that it is one of the few, if not the only, article to quantify the fact that SSAE 16 can be applicable to colo’s and cloud providers, which is a topic that I previously explored in detail here – http://goo.gl/EVveR. It provides support to the recent Klein article, which concluded that the colo and cloud industries are going to embrace SSAE 16 despite the reservations some may have on the topic. In reality, the evidence indicates that this has already happened given that so many colo’s and cloud providers have already completed SSAE 16 / SOC 1 examinations, and virtually none that previously completed SAS 70 audits have had sufficient confidence in SOC 2 to complete the examination without also coupling it with an SSAE 16 examination.
Chris,
Thanks to you and the folks above for all the links/insights. I always get a little worried when an industry jumps on a bandwagon and the media (myself included) assumes the bandwagon is good for cloud services providers. In this case it sounds like SSAE 16 and SOC 1/SOC 2 deserve closer inspection.
-jp