Top 5 SSAE 16 Problems Faced by Data Center CEOs

Executives looking to expand their data centers and improve the level of service they provide their customers are also faced with the challenge of meeting the American Institute of CPA’s Statement on Standards for Attestation Engagements (SSAE) 16 audit standards (SSAE) 16 audit standards.

These SSAE Service Operations Controls (SOCs) have three versions; understanding which control applies to you requires some research.

Here are five of the problems data center CEOs are experiencing with meeting SSAE requirements and some information resources you should find helpful in determining the services and strategies you need to implement for your managed services facilities. 

1. The Costs of the Report

Having an audit conducted of your data center to produce a report starts at around $15,000. When the CEO of a new hosting provider or colocation facility tries to justify the cost of the report against the potential loss of customers who require SSAE compliance, pursuing other security and reliability standards is tempting. Costs are likely to be in the $25,000 to $30,000 range.

It isn’t just the pure dollar cost of the report either. Whether or not SSAE 16 certification is required by law is uncertain. Much of the information published about the standard is written for lawyers, accountants, and consultants instead of technology business executives.

Weighing the expense of having a specific report completed vs. marketing to a target market that doesn’t require SSAE certification or just turning down the suggestion of the audit is an option that data centers need to consider.  

2. Intentional Acts

Though most data center personnel are professional, reliable, and morally astute, an audit may uncover what seems to be a “Band-Aid” fix on a control that can drastically change the direction of the entire audit.

One audit exposure is likely to intensify on every line item on the report, and the costs of remediating gaps might not be in the immediate operating budget.  Another (less strict) report that data center executives can consider is the ISAE 3402.

These standards all have a similar PR company creating names for them, and it may take a number of reads of the acronyms to remember them, not to mention the reports that they support.

3. Reports are Mandatory for Data Centers Serving Certain Industries

Data centers that manage information for these industries require SSAE 16 compliance:

• Financial services
• Government
• Healthcare
• Extended public sectors such as schools and social services
• Many regulated industries such as utilities, retail, and xSPs hosting e-commerce sites are under high security/audit scrutiny

If you are a data center serving these industry segments, completing the appropriate SOC/SSAE 16 report by your CPA is recommended.

4. Preparation for SSAE 16 Audits

An SSAE investigation requires the appropriate documents, personnel, and other resources. Your staff may include individuals who are required to deliver and manage your facility.

On a positive note, the CPA could provide your team with valuable insights into how their work and following SSAE standards can help them be more effective at their jobs and improve your service's operations.

Hopefully, the documentation the auditor requires won’t be difficult to pull together, and your company’s privacy is assured, as their report does not ship your documents to any third-party assessors. Confirming this with the auditor before they roll up their sleeves never hurts.

5. Many Options, Not All Seem Relevant

There are many combinations of SSAE 16, SOC 1, SOC 2, and SOC 3, which you can sign up for, and have audited. SSAE 16 SOC 1 is about financial compliance, not technology security, reliability, and scalability. So many data center CEOs may allow their existing accounting documents to stand for their financial audits instead of having one done for their customer’s “satisfaction” or “peace of mind.”

Some reports may be done on SOC 1, and a data center might promote that it has been certified against SOC 2 or 3 without knowing the specifics of those technical evaluations.

Unlike PCI DSS compliance, there isn’t a wealth of business-friendly websites from a central organization; you’ll find more data from 3^rd party auditors than the AICPA itself.

 Have you contacted a CPA to thoroughly review your data center financials, personnel, and/or infrastructure technology? Have you had an SSAE audit completed and now wonder what the strategic value it was?

Tell us about your experiences in the comments section below!

Also, see Are SSAE 16 Data Center Problems Impacting Customers?