Chris Schellman

In mid-2011, the American Institute of Certified Public Accountants (AICPA) established a Service Organization Controls (SOC) reporting framework in hopes of providing the public and CPAs with a clearer understanding of the reporting options for service organizations. Additionally, the AICPA sought to reduce the risk of misuse of SSAE 16, which recently superseded SAS 70, as a mechanism for reporting on security, compliance, and operational controls. To achieve these goals, the AICPA released the following reporting framework: SOC 1: Reporting on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting (also known as SSAE 16) SOC 2: Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy SOC 3: SysTrust for Service Organizations Of the three, SO... (more)

Why Data Centers Need SSAE 16

SSAE 16 is one of the most widely known tools for providing assurances to data center customers.  It is demanded by customers and there is no substitute for it. And yet, a myth that the SSAE 16 standard is not applicable to the industry persists.  As such, data center providers have no choice but to arm themselves with the following facts about SSAE 16 applicability. The Technical Basis The technical guidance for SSAE 16 has two major components which are the SSAE 16 standard itself and the related guide titled “Service Organizations –Applying SSAE No. 16, Reporting on Controls a... (more)