SAS 70, SSAE 16 and SOC Comparison
What’s the difference between SAS 70, SSAE 16 and SOC?
SAS 70 is the old standard that was never designed for certain service organizations that offer colocation, managed dedicated servers or cloud hosting services. It was initially established to provide auditors information and verification about data center controls and processes as it relates to the data center user and their financial reporting.
A SAS 70 audit does not set any standards for data center excellence; it merely verifies that the controls and processes set in place by a data center are actually followed. Additionally, no certification exists for SAS 70, only an auditing process. The problem arose that the data center service industry required some type of certification of excellence.
The SSAE 16 (Statements on Standards for Attestation Engagements No. 16) goes beyond SAS 70 by not only verifying the controls and processes, but also requiring a written assertion regarding the design and operating effectiveness of the controls being reviewed.
The SSAE 16 audit will result in a Service Organization Control (SOC) 1 report. This report focuses on internal controls over financial reporting. A SOC 1, Type 1 report focuses on the auditors’ opinion of the accuracy and completeness of the data center management’s design of controls, system and/or service. A SOC 1, Type 2 report includes Type 1 and an audit on the effectiveness of controls over a certain time period, normally between six months and a year.
SOC 2 and SOC 3 provide pre-defined, standard benchmarks for controls related to the security, availability, processing integrity, confidentiality, or privacy of a system and its information.
A SOC 3 report is for general use, and provides a level of certification for data center operators that assure data center users of facility security, high availability and process integrity. While a SOC 2 report includes service auditor testing and results, a SOC 3 report provides only the system description and auditor opinion.
Find more information about SAS 70, SSAE 16 & SOC:
Other Related Articles:
Attn, Healthcare Industry: SAS 70 is No Zombie
Although SAS 70 (Statement on Auditing Standards) has been dead for quite some time now, we’ve found that those lagging in the health IT industry may still be confused about why SAS 70 is no longer the audit to look … Continue reading →
Data Center Standards Cheat Sheet: From HIPAA to SOC 2
With the confusion regarding what audits and auditor reports apply to certain aspects of data center standards, I felt the need to create a basic data center/hosting solution audit cheat sheet to simplify matters. Here’s your comprehensive guide to data … Continue reading →
SOC 1, SOC 2 & SOC 3 Report Comparison
In April 2010, the AICPA (American Institute of Certified Public Accountants) announced the replacement of SAS 70 by a new and refined auditing standard, the Statement on Standards for Attestation Engagements or SSAE 16. While SAS 70 was originally intended … Continue reading →
What is a Service Organization Control (SOC) 2 report?
Introduced in 2011, Service Organization Control (SOC) reports are becoming more and more popular in data security and compliance discussions with every passing year, especially … Continue reading →