Executives looking to expand their data centers, and improve the level of service they provide their customers are also faced with the challenge of meeting the American Institute of CPA’s Statement on Standards for Attestation Engagements (SSAE) 16 audit standards (SSAE) 16 audit standards.
These SSAE Service Operations Controls (SOC’s) have three versions, and understanding which control applies to you takes some research.
Here are five of the problems which data center CEOs are experiencing with meeting SSAE requirements, and some resources of information you should find helpful in determining the services and strategies you need to put in place for your managed services facilities.
1. The Costs of the Report
Having an audit conducted of your data center to produce a report starts at around $15,000. When the CEO of a new hosting provider or colocation facility tries to justify the cost of the report, against the potential loss of customers who require SSAE compliance, it is tempting to just pursue other security and reliability standards. Costs are likely to be in the $25,000 to $30,000 range.
It isn’t just the pure dollar cost of the report either. Whether or not SSAE 16 certification is required by law is uncertain. A lot of the information which is published about the standard is written for lawyers, accountants, and consultants as opposed to technology business executives.
Weighing the expense of having a specific report completed vs marketing to a target market that doesn’t require SSAE certification, or just turning down the suggestion of the audit is an option which data centers need to consider.
2. Intentional Acts
Though most data center personnel is professional, reliable and morally astute, an audit may uncover what seems to be a “Band-Aid” fix on a control which can drastically change the direction of the entire audit.
One audit exposure is likely to intensify on every line item on the report, and the costs of remediating gaps might not be in the immediate operating budget. There is also another (less strict) report which data center executives can consider called the ISAE 3402.
These standards all have a similar PR company creating names for them, and it may take a number of reads of the acronyms to remember them, not to mention the reports which they support.
3. Reports are Mandatory for Data Centers Serving Certain Industries
Data centers which manage information for these industries require SSAE 16 compliance:
- Financial services
- Extended public sectors such as schools and social services
- Many regulated industries such as utilities, retail, and xSPs hosting e-commerce sites are under high security/audit scrutiny
If you are a data center which serves these industry segments, having the appropriate SOC/SSAE 16 report completed by your CPA is recommended.
4. Preparation for SSAE 16 Audits
Having the appropriate documents, personnel, and other resources is required for an SSAE investigation. There may be individuals on your staff who may be required for delivery and management of your facility.
On a positive note, the CPA could provide your team with good insights on how their work, and following SSAE standards can help them be more effective at their job, and to improve the operations of your service.
The documentation the auditor requires hopefully won’t be difficult to pull together, and you company’s privacy is assured, as their report does not ship your documents to any third party assessors. It never hurts to confirm this with the auditor, though, before they roll up their sleeves.
5. Many Options, Not All Seem Relevant
There are many combinations of SSAE 16, SOC 1, SOC 2, and SOC 3 which you can sign up for, and have audited. SSAE 16 SOC 1 is about financial compliance, and not technology security, reliability and scalability. So many data center CEOs may allow their existing accounting documents to stand for their financial audits, as opposed to having one done for their customer’s “satisfaction” or “peace of mind.”
Some reports may be done on SOC 1 and a data center might promote that it has been certified against SOC 2 or 3 without knowing the specifics about those technical evaluations.
Unlike PCI DSS compliance, there isn’t a wealth of business-friendly websites from a central organization; you’ll find more data from 3rd party auditors than the AICPA itself.
Have you contracted with a CPA to conduct a thorough review of your data center financials, personnel, and/or infrastructure technology? Have you had an SSAE audit completed, and now wonder what the strategic value of it was?
Tell us about your experiences in the comments section below!
If you're in the data center, mission critical or cloud services industries, or you sell to the data center industry, don't miss our weekly update newsletter -- Data Center Sales & Marketing Institute (DCSMI) Update Newsletter. Get notified about new reports, events, podcasts, and blog posts.