If you think an auditor is somebody whose job is to tell you what you’re doing wrong in your data center, it may be time to update your ideas – or your auditor! A data center audit can offer useful input at different levels to help data center managers to achieve their business goals.
This includes objective advice on what needs to be fixed and recognition of things being done well. Some exceptions exist where consulting is deliberately omitted from the auditing activity (ISO systems auditing, for instance.) However, the potential for an audit of a data center to contribute positively to adding value should not be ignored elsewhere.
How Is a Data Center Audit Done?
Auditing starts with measuring and comparing, whether in data centers or elsewhere. It needs metrics and standards that can be applied consistently and give meaningful output.
For the past two decades or so, data centers have often used AICPA SAS 70, or to spell it out in full, the “American Institute of Certified Public Accountants Statement on Auditing Standards No. 70” audit. Essentially, the SAS 70 requires an organization to make its own system of controls and then audit those controls to tell its stakeholders how well the practice complies with the policy.
More recently, the AICPA brought in SSAE 16 (Statements on Standards for Attestation Engagements No. 16) and three associated Service Organization Control (SOC) reporting levels:
- A SOC 1 report concerns the accuracy and completeness of the description of the system (the data center in this case) at a specific date.
- A SOC 2 report details controls for the security, availability, processing integrity, confidentiality, and privacy of a system and its information.
- A SOC 3 report is for general release with a summary statement on the effectiveness of the controls in place at the data center.
From Pointing Out Problems to Putting Things Right
Things that are wrong need to be identified. Constructive auditing practices then offer a structure within which to put things right. A popular approach is the “Five Cs”:
- Condition: What is the problem?
- Criteria: Which standard is not being met?
- Cause: Why did the problem happen?
- Consequence: What is the impact (risk, loss) due to the problem?
- Corrective action: What should data center management do about the problem, and by when?
Building Further Enterprise Value from Audit Reports
A SOC 3 report is already a sales argument for convincing users and customers that a data center is run professionally and reliably. Whether the data center serves just one organization or a number of different customers, as in a colocation service, data center guarantees play a large part in an enterprise's overall credibility and brand image.
Forward-looking audit practices go still further.
While remaining objective, auditors take on a counseling role rather than one of just a critic. They use their knowledge of data centers to go further than the numbers and apply practical business logic to make useful evaluations and help achieve business goals.
Do you use internal or external auditors for your data center audit? Tell us how you handle this and any pros and cons you see with either approach, with a line or two in the space beneath for comments.