Executives looking to expand their data centers and improve the level of service they provide their customers are also faced with the challenge of meeting the American Institute of CPA’s Statement on Standards for Attestation Engagements (SSAE) 16 audit standards (SSAE) 16 audit standards.
These SSAE Service Operations Controls (SOCs) have three versions; understanding which control applies to you requires some research.
Here are five of the problems data center CEOs are experiencing with meeting SSAE requirements and some information resources you should find helpful in determining the services and strategies you need to put in place for your managed services facilities.
1. The Costs of the Report
Having an audit conducted of your data center to produce a report starts at around $15,000. When the CEO of a new hosting provider or colocation facility tries to justify the cost of the report against the potential loss of customers who require SSAE compliance, pursuing other security and reliability standards is tempting. Costs are likely to be in the $25,000 to $30,000 range.
It isn’t just the pure dollar cost of the report either. Whether or not SSAE 16 certification is required by law is uncertain. Much of the information published about the standard is written for lawyers, accountants, and consultants instead of technology business executives.
Weighing the expense of having a specific report completed vs. marketing to a target market that doesn’t require SSAE certification or just turning down the suggestion of the audit is an option that data centers need to consider.
2. Intentional Acts
Though most data center personnel is professional, reliable, and morally astute, an audit may uncover what seems to be a “Band-Aid” fix on a control that can drastically change the direction of the entire audit.
One audit exposure is likely to intensify on every line item on the report, and the costs of remediating gaps might not be in the immediate operating budget. Another (less strict) report that data center executives can consider is the ISAE 3402.
These standards all have a similar PR company creating names for them, and it may take a number of reads of the acronyms to remember them, not to mention the reports that they support.
3. Reports are Mandatory for Data Centers Serving Certain Industries
Data centers that manage information for these industries require SSAE 16 compliance:
- Financial services
- Extended public sectors such as schools and social services
- Many regulated industries such as utilities, retail, and xSPs hosting e-commerce sites are under high security/audit scrutiny
If you are a data center serving these industry segments, completing the appropriate SOC/SSAE 16 report by your CPA is recommended.
4. Preparation for SSAE 16 Audits
Having the appropriate documents, personnel, and other resources is required for an SSAE investigation. There may be individuals on your staff who may be required to deliver and manage your facility.
On a positive note, the CPA could provide your team with good insights on how their work, and following SSAE standards can help them be more effective at their job and improve your service's operations.
Hopefully, the documentation the auditor requires won’t be difficult to pull together, and your company’s privacy is assured, as their report does not ship your documents to any third-party assessors. Confirming this with the auditor before they roll up their sleeves never hurts.
5. Many Options, Not All Seem Relevant
There are many combinations of SSAE 16, SOC 1, SOC 2, and SOC 3, which you can sign up for, and have audited. SSAE 16 SOC 1 is about financial compliance, not technology security, reliability, and scalability. So many data center CEOs may allow their existing accounting documents to stand for their financial audits instead of having one done for their customer’s “satisfaction” or “peace of mind.”
Some reports may be done on SOC 1, and a data center might promote that it has been certified against SOC 2 or 3 without knowing the specifics of those technical evaluations.
Unlike PCI DSS compliance, there isn’t a wealth of business-friendly websites from a central organization; you’ll find more data from 3rd party auditors than the AICPA itself.
Have you contacted a CPA to thoroughly review your data center financials, personnel, and/or infrastructure technology? Have you had an SSAE audit completed and now wonder what the strategic value it was?
Tell us about your experiences in the comments section below!