Archive

Archive for December, 2011

SSAE 16 “First to Fail”?

December 27, 2011 7 comments

I’m still waiting for a service organization to write a press release that is:

  1. accurate
  2. replete of the word “certification
  3. shows a moderate level of understanding about SOC attestations
  4. announces that the service organization conducted the right SOC attestation

This morning I was greeted with a press release from First To File ®, announcing that they have “passed” their SSAE 16 audit “for the third year in a row”.   Hmmm.  Considering the SSAE 16 standard wasn’t released until 2010 that’s a pretty neat trick!  But that isn’t really why I’m writing about this press release.  And I really am not trying to pick on First To File ®.  Their press release just happens to contain many of the issues I have been trying to address with this blog.  Apologies in advance.

It appears to me based on the description of  First to File’s® business (patent prosecution support and document management service) that the SOC 1 audit was probably not the right type of SOC review for them to undertake in the first place.  One of the primary reasons that the AICPA decided to do away with SAS 70 and create the SOC standards was because SAS 70 was being misused.

The AICPA white paper describing the new SOC standards says it best: “As organizations became increasingly concerned about risks beyond financial reporting, SAS 70 often was misused as a means to obtain assurance regarding compliance and operations.” 1  SOC 1 reports focus “solely on controls at a service organization that are likely to be relevant to an audit of a user entity’s financial statements.” 2

So if First to File® is in the business of document management, how do their services have any relevance to a user entity’s financial statements?  They are merely storing intellectual property (IP) in a web-based environment for their customers.  The only impact to the financial statements of their customers would be the fees paid by the customer for the services rendered.  You might even stretch things and conclude that the value of the IP is at risk since it is being stored and protected by a third party.  But that still does not justify the use of a SOC 1 (SSAE 16) report.

Certainly their customers would be interested in knowing what types of controls over the security and confidentiality of that intellectual property First to File® has in place.  This is precisely the scenario that the AICPA created the SOC 2 report for.  It is intended for situations where a report is needed about controls at a service organization intended to mitigate risks related to security, availability, processing integrity, confidentiality, or privacy.  Of these, it appears to me at first glance that customers of a company providing document management services would certainly be interested in controls around security, confidentiality, and privacy.  Perhaps even availability since it would be important to know that the web-based services would be available when needed.

So why would First to File® decide to ask their auditor for an SSAE 16 report?  Because the AICPA and many CPA firms have not sufficiently educated the marketplace regarding the intent and appropriateness of SOC 1 vs SOC 2 vs SOC 3.    Which is why I felt compelled to share this blog.

I can’t really blame the marketing and public relations folks that drafted the First to File® press release.  If CPAs and other controls experts can’t figure out the new standards, we shouldn’t expect marketing folks to get it.  If anyone is at fault, it would be the CPA firm that undertook the engagement.  They should have done a better job of explaining the options and steered the customer away from SOC 1 and toward SOC 2.  If after thoroughly understanding the options, the company still elected to have a SOC 1 (SSAE 16) report prepared, then all we can say is “the customer is always right“.

1  Service Organization Controls: Managing Risks by Obtaining a Service Auditor’s Report – AICPA, Nov 2010

 2 ibid

 

Advertisements

SOC 2 is NOT SSAE 16

December 21, 2011 2 comments

I just saw the following link related to a data center audit:

Cbeyond One of First SSAE 16 Certified Cloud Companies

Just when I thought things were getting better, along comes this press release that is wrong on so many levels I don’t even know where to begin….. but I’ll try.

First off, SSAE 16 is NOT a certification as I have pointed out MANY times.  (see Just as I Predicted…)  Secondly, SOC 2 is totally unrelated to SSAE 16.  Statement on Standards for Attestation Engagements (SSAE) 16 is specific guidance to CPA firms for planning and conducting Service Organization Control (SOC) 1 reviews. Those are reviews intended for controls at service organizations likely to be relevant to user entities’ internal control over financial reporting.

So far, the AICPA has not released any specific SSAE for SOC 2.  There is an official “guide” to conducting a SOC 2 engagement, but there is not a specific Statement on Standards for Attestation Engagements (SSAE).

The following paragraph highlights the rampant confusion that exists in the marketplace regarding the new AICPA standards for Service Organization audits that replaced the old SAS 70 standard:

“Considered the second-generation data center audit standard, SSAE 16 SOC 2 reviews evaluate the design and operational effectiveness of a center’s controls against a strict series of international standards. Earning SSAE 16 certification demonstrates that Cbeyond Cloud Services is fully compliant with all necessary security and privacy specifications, and demonstrates that its customers are served and hosted in a highly secure, controlled facility.”

Neither SSAE 16 (SOC 1) or SOC 2 is a “data center audit standard”.  And the SOC 2 criteria are NOT an “international standard”.

It is difficult to tell from this press release exactly what Cbeyond did since the press release is mixing SSAE 16 (SOC 1) and SOC 2 together.  Claiming “certification” is just more of the same ignorance that most of the industry shares.

If you are writing or reading press releases from data centers and cloud providers as a normal part of your day, please take the time to understand the new standards and what they mean.  Press releases like this one do nothing to clear the confusion created by the new SOC standards.  If you have questions about the standards, please speak to a qualified member of a CPA firm in order to ensure you are writing and reading with a full understanding.