If you think an auditor is somebody whose job is simply to tell you what you’re doing wrong in your data center, it may be time to update your ideas – or your auditor! A data center audit can offer useful input at different levels to help data center managers to achieve their business goals.

This includes objective advice on what needs to be fixed, but also recognition of things that are being done well. There are some exceptions to this, where consulting is deliberately omitted from the auditing activity (ISO systems auditing, for instance.) Elsewhere however, the potential for an audit of a data center to contribute positively to adding value should not be ignored.

How Is a Data Center Audit Done?

Auditing, whether in data centers or elsewhere, starts with measuring and comparing. It needs metrics and standards that can be applied consistently and that give meaningful output.

For the past two decades or so, data centers have often used AICPA SAS 70, or to spell it out in full, the “American Institute of Certified Public Accountants Statement on Auditing Standards No. 70” audit. Essentially, the SAS 70 requires that an organization makes its own system of controls and then audits those controls to tell its stakeholders how well practice complies with policy.

More recently, the AICPA brought in SSAE 16 (Statements on Standards for Attestation Engagements No. 16) and three associated Service Organization Control (SOC) reporting levels:

• A SOC 1 report concerns the accuracy and completeness of the description of the system (the data center in this case) at a specific date.
• A SOC 2 report provides details on controls for security, availability, processing integrity, confidentiality, and privacy of a system and its information.
• A SOC 3 report is for general release with a summary statement on the effectiveness of the controls in place at the data center.

From Pointing Out Problems to Putting Things Right

Things that are wrong need to be identified. Constructive auditing practices then offer a structure within which to put things right. A popular approach is the “Five Cs”:

1.        Condition: What is the problem?
2.        Criteria: Which standard is not being met?
3.        Cause: Why did the problem happen?
4.        Consequence: What is the impact (risk, loss) due to the problem?
5.        Corrective action: What should data center management do about the problem and by when?

Building Further Enterprise Value from Audit Reports

A SOC 3 report is already a sales argument for convincing users and customers that a data center is run professionally and reliably. Whether the data center serves just one organization or a number of different customers as in a colocation service, data center guarantees play a large part in the overall credibility and brand image of an enterprise.

Forward-looking audit practices go still further.

While remaining objective, auditors take on a counseling role rather than one of just a critic. They use their knowledge of data centers to go further than the numbers and to apply practical business logic to make useful evaluations and help in achieving business goals.

Do you use internal or external auditors for your data center audit? Tell us how you handle this and any pros and cons you see with either approach, with a line or two in the space beneath for comments.

And if you use your data center audit report as a sales tool for closing new clients and generating new revenue sources, be sure to download our free eBook on “Lead Generation Best Practices for Colocation Data Centers.”