Beyond SSAE 16 Certified

All I can say is, “Wow”.  In my inbox this morning was a press release from Verian, a “world leader in universal purchasing and invoice processing systems” with a headline that states “Verian Recognized by AICPA for Delivering Highest Levels of Quality and Security”. Of course I had to see what that was all about.

Turns out, Verian completed an SSAE 16 attestation. Nothing in the accompanying press release says anything about special recognition from the AICPA. The press release goes on to talk about the value of the SOC 1 report and why all their customers can trust them because “The completion of the SOC 1 Type ll examination typifies Verian’s continued commitment to create and maintain the most stringent controls needed to ensure the highest quality and security of services provided to their customers.”

That “may” be true but it certainly does not indicate that the AICPA provided any special recognition of Verian’s quality and security. I can understand why the company wants to issue a press release to announce the completion of the SSAE 16 attestation. But to announce it as recognition from the AICPA is over the top. This goes way beyond saying you are “SSAE 16 Certified”.

The average reader would assume that this SSAE 16 must be a “major award” from the AICPA when in fact it is nothing more than an independent attestation that Verian does what they describe in their own description of their own controls over their system.

I recognize that marketing people get paid to create press releases and that headlines are what attracts people to read them. Hey, it worked on me.  But this headline is misleading and over the top.  So all you marketing people, please don’t try to mislead your customers and potential customers with flamboyant claims about special recognition. Doing so just further diminishes the value of a well written SSAE 16 report.

SOCs Rocks? or not……

So, the AICPA has killed off a defacto brand, SAS 70, and created three new reporting standards, SOC 1, SOC 2, and SOC 3 to replace it.  If that sounds a bit like a Dr. Seuss book, you are in good company.   SOC stands for Service Organization Controls which is what these new reporting standards are supposed to address.

SOC 1 is the “new” SAS 70.  The official standard is SSAE 16, or “Statement on Standards for Attestation Engagements number 16” to be precise.  When the AICPA announced the demise of SAS 70, they simultaneously introduced SSAE 16 as its replacement.  So naturally, as a service organization who has had SAS 70 audits for years, and is already “SAS 70 certified”, you will ask your auditor for an SSAE 16 report for 2011, right?  Yes, you will.  And that is precisely why the new SOC reports will not accomplish what the AICPA wants them to.

The biggest problem with SAS 70 was that it has been misused and abused since Sarbanes-Oxley (the other SOX) became law.  It was never intended to be an audit of general IT controls for an unrestricted audience.  It was created by auditors for other auditors who were performing financial statement audits.  The guidance for SSAE 16 clearly states that a SOC 1 report is also intended for auditors performing financial statement audits.  But  the service organizations that have had SAS 70 reports are now asking their auditors for SSAE 16 reports because their customers are asking for SSAE 16 report because it is the “new SAS 70”.  Those customers don’t care that the report is intended for use in financial statement audits.  They just want the report so that when their auditors ask for the SSAE 16 report (which they inevitably will) it will be available.

SOC 2 and SOC 3 reports could have been the next big thing for companies seeking some kind of assurance over the IT general controls for their cloud and colocation service providers.  The reports are based on a standard set of control principles which makes it easy to know that a given service organization has all the right kinds of controls in place.  But because the AICPA did such a poor job of preparing everyone for the change and educating them on which report was best, everyone will just ask for SSAE 16 because it is the replacement for SAS 70.  The people in the trenches who are asking for these reports don’t care about whether it is appropriate or not.  They just want to be able to give the report to the auditors when they ask for it.

And by the way, the auditors asking for the report really don’t care either.  As long as they can check the box on their working papers that will soon say “SSAE 16”, it won’t matter if the service being provided has a financial statement impact to their client or not.  They are covered and that is all that matters.

Meanwhile we still don’t have a certification or a standardized audit to ensure that Cloud Provider A and Cloud Provider B have appropriate IT general controls in place.