Just as I Predicted……
C7 Data Centers Completes SSAE 16 Certification — Colocation and IT infrastructure provider C7 Data Centers, Inc. (C7) today announced the completion of the SSAE 16 audit certification for its data center facilities. C7 is the first data center provider in the West to meet this new standard.
The link and press release summary above is just one of several in the last few weeks touting “SSAE 16 Certification”. This one goes above and beyond by stating “The SSAE 16 defines all of the requirements applicable to data centers and other hosting providers.” Really? Having read the standard pretty much cover to cover, I don’t recall seeing ANY requirements applicable to data centers and other hosting providers. SSAE stands for Statement on Standards for Attestation Engagements. It is an ATTESTATION standard, not a data center standard. It does NOT define requirements for data centers or any other type of business. And by the way, the data center provider in question didn’t meet the SSAE 16 standard. Their auditor did, or at least attempted to. More on that later.
The CEO of the company in question makes matters worse by stating “We are pleased to have met all requirements for the SSAE 16 certification (emphasis mine) for our data center facilities. Passing the SSAE 16 audit demonstrates C7’s commitment to our current and prospective customers. They can be confident that C7 is operating in a transparent and professional manner consistent with the highest control guidelines and standards in the data center industry.”
Passing an SSAE 16 audit merely demonstrates that the system description provided to (or developed by) their audit firm of choice was accurate and complete and that the controls they described (again not based on any written standard for data centers or otherwise) were described accurately. Note that the article does not specify if this was a Type I or a Type II report. Based on the level of hyperbole utilized in this release, I’m betting it was a Type I report. If that is accurate, then passing the audit merely means that the independent accounting firm that produced the report agreed that the design of the controls that C7 presented to the auditors was adequate. No testing as to whether they were actually working as described would have been conducted. In fact, the opinion letter would include something like, “Our responsibility is to express an opinion on the fairness of the presentation of the description and on the suitability of the design of the controls to achieve the related control objectives stated in the description, based on our examination.”
In other words, based on what you told us, the design of the controls is suitable. Nothing more, nothing less.
Now, about their auditor. The new SSAE 16 standard is very clear that these reports “focus solely on controls at a service organization that are likely to be relevant to an audit of a user entity’s financial statements.” So the question becomes, what relevance does a colocation provider’s services have to the financial statements of their customers? The obvious answer is little or none. So why did their auditors agree to perform the SSAE 16 audit in the first place? The short answer is “Because the customer is always right”.
Look back at my prior blog entry to see that my predictions are coming true already. Sometimes I hate being right.
IT Controls Freak 
You claims are not accurate. SSAE 16’s should address the general IT controls supporting the system/services. No one expert in the matter questions that fact. When IT general controls are outsourced to a third party data center, they do not all of a sudden become irrelevant. The third party data center may be included in the scope of any service organization’s SSAE 16 examination through application of the inclusive method. When a data center hosts even one system likely to be relevant to the financial reporting controls of an organization, they become a service organization and SSAE 16 is completely applicable. The accurate statement would be that only those organizations that use the data center to support systems relevant to their internal controls over financial reporting, and their independent auditors, are authorized users of the SSAE 16 report. All others would need to use a different mechanism, such as SOC 2 if they seek validation from a CPA firm, or ISO 27001 certification if they seek validation of compliance with the international standard for the development and management of information security management systems.
David, you are incorrect in your assessment as it applies to SSAE 16 and data centers. There are multiple levels of controls within the IT ecosystem, this also does not go on to say that individual customers should also not comply with a SSAE 16 audit. I would guarantee that C7 or any other data center that has customers that process financial transactions are being required to do the same thing. They have no choice in this matter if they want to be competitive. Its an audit of controls, not the effectiveness of those controls. Data centers didn’t create this issue. These audits take quite awhile to complete, and are quite expensive, so I don’t think its anything that C7 or any other data center does very casually.
Incorrect in what way? I agree that many data centers don’t have a choice, hence my comment that “the customer is always right”. I also agree that data centers didn’t create the issue. My problem with the C7 press release is not their announcement that they had an SSAE 16 audit performed. My problem with it is that they are misrepresenting that audit as a certification, which implies a standard set of criteria that must be met in order to become “certified”. I also take issue with the comment suggesting that “The SSAE 16 defines all of the requirements applicable to data centers and other hosting providers.” It (SSAE 16) does no such thing. Again, the language used implies that SSAE 16 defines requirements which by “passing” the SSAE 16 “audit” equates to certification of their controls.
I must disagree with your comment that it is an audit of controls, not the effectiveness of those controls unless you are referring to a Type I SSAE 16 report. Per SSAE 16, a Type I SSAE 16 attestation is an independent opinion of the DESIGN of the controls. A Type II SSAE 16 attestation is an independent opinion as to the design AND EFFECTIVENESS of those controls.
Thanks for your feedback. It drives home the fact that there is an incredible amount of confusion in the marketplace about what SSAE 16 is and is not.
The only misunderstanding I ever see is from those that write press releases. I have yet to see any blog post poke relevant logical holes in the SAS 70 / SSAE 16 standard itself WHEN USED FOR THE PURPOSES INTENDED. If you want to poke holes in something, look to SOC 2….one of the biggest piles of garbage spit out by the AICPA in a very long time. Rather than allowing it to be the SSAE 16 equivalent on non-ICFR topics, they backed everyone into a corner by forcing the Trust Services principles down our throats. So now you get your defined set of principles and criteria….and a ton of in-applicability where the true opportunity would have been to let the client present what is actually in place, similar to SSAE 16. A static list of prescribed controls is never good…especially when it’s accountants writing the requirements. They become stale over time, and many clients have controls more technologically advanced for their purposes that aren’t even considered. It’s quite a shame that they chose to do it that way and will only perpetuate the misuse of SSAE 16 as the resist adoption of SOC 2.
Dear ABC,
In the future I will not approve comments unless the author provides their identity. I appreciate your feedback but responding anonymously is a little like throwing rocks from behind the bushes? I have clearly identified myself. I would appreciate the same from anyone that wants to respond to my thoughts in this blog.
Regards,
David