Posts Tagged ‘SSAE 16 Certified’

Beyond SSAE 16 Certified

August 13, 2012 1 comment

All I can say is, “Wow”.  In my inbox this morning was a press release from Verian, a “world leader in universal purchasing and invoice processing systems” with a headline that states “Verian Recognized by AICPA for Delivering Highest Levels of Quality and Security”. Of course I had to see what that was all about.

Turns out, Verian completed an SSAE 16 attestation. Nothing in the accompanying press release says anything about special recognition from the AICPA. The press release goes on to talk about the value of the SOC 1 report and why all their customers can trust them because “The completion of the SOC 1 Type ll examination typifies Verian’s continued commitment to create and maintain the most stringent controls needed to ensure the highest quality and security of services provided to their customers.”

That “may” be true but it certainly does not indicate that the AICPA provided any special recognition of Verian’s quality and security. I can understand why the company wants to issue a press release to announce the completion of the SSAE 16 attestation. But to announce it as recognition from the AICPA is over the top. This goes way beyond saying you are “SSAE 16 Certified”.

Major AwardThe average reader would assume that this SSAE 16 must be a “major award” from the AICPA when in fact it is nothing more than an independent attestation that Verian does what they describe in their own description of their own controls over their system.

I recognize that marketing people get paid to create press releases and that headlines are what attracts people to read them. Hey, it worked on me.  But this headline is misleading and over the top.  So all you marketing people, please don’t try to mislead your customers and potential customers with flamboyant claims about special recognition. Doing so just further diminishes the value of a well written SSAE 16 report.


SOC 2 is NOT SSAE 16

December 21, 2011 2 comments

I just saw the following link related to a data center audit:

Cbeyond One of First SSAE 16 Certified Cloud Companies

Just when I thought things were getting better, along comes this press release that is wrong on so many levels I don’t even know where to begin….. but I’ll try.

First off, SSAE 16 is NOT a certification as I have pointed out MANY times.  (see Just as I Predicted…)  Secondly, SOC 2 is totally unrelated to SSAE 16.  Statement on Standards for Attestation Engagements (SSAE) 16 is specific guidance to CPA firms for planning and conducting Service Organization Control (SOC) 1 reviews. Those are reviews intended for controls at service organizations likely to be relevant to user entities’ internal control over financial reporting.

So far, the AICPA has not released any specific SSAE for SOC 2.  There is an official “guide” to conducting a SOC 2 engagement, but there is not a specific Statement on Standards for Attestation Engagements (SSAE).

The following paragraph highlights the rampant confusion that exists in the marketplace regarding the new AICPA standards for Service Organization audits that replaced the old SAS 70 standard:

“Considered the second-generation data center audit standard, SSAE 16 SOC 2 reviews evaluate the design and operational effectiveness of a center’s controls against a strict series of international standards. Earning SSAE 16 certification demonstrates that Cbeyond Cloud Services is fully compliant with all necessary security and privacy specifications, and demonstrates that its customers are served and hosted in a highly secure, controlled facility.”

Neither SSAE 16 (SOC 1) or SOC 2 is a “data center audit standard”.  And the SOC 2 criteria are NOT an “international standard”.

It is difficult to tell from this press release exactly what Cbeyond did since the press release is mixing SSAE 16 (SOC 1) and SOC 2 together.  Claiming “certification” is just more of the same ignorance that most of the industry shares.

If you are writing or reading press releases from data centers and cloud providers as a normal part of your day, please take the time to understand the new standards and what they mean.  Press releases like this one do nothing to clear the confusion created by the new SOC standards.  If you have questions about the standards, please speak to a qualified member of a CPA firm in order to ensure you are writing and reading with a full understanding.

Just as I Predicted……

July 20, 2011 7 comments

C7 Data Centers Completes SSAE 16 Certification — Colocation and IT infrastructure provider C7 Data Centers, Inc. (C7) today announced the completion of the SSAE 16 audit certification for its data center facilities. C7 is the first data center provider in the West to meet this new standard.

The link and press release summary above is just one of several in the last few weeks touting “SSAE 16 Certification”.  This one goes above and beyond by stating “The SSAE 16 defines all of the requirements applicable to data centers and other hosting providers.”  Really?  Having read the standard pretty much cover to cover, I don’t recall seeing ANY requirements applicable to data centers and other hosting providers.  SSAE stands for Statement on Standards for Attestation Engagements.  It is an ATTESTATION standard, not a data center standard.  It does NOT define requirements for data centers or any other type of business. And by the way, the data center provider in question didn’t meet the SSAE 16 standard.  Their auditor did, or at least attempted to.  More on that later.

The CEO of the company in question makes matters worse by stating “We are pleased to have met all requirements for the SSAE 16 certification (emphasis mine) for our data center facilities. Passing the SSAE 16 audit demonstrates C7’s commitment to our current and prospective customers. They can be confident that C7 is operating in a transparent and professional manner consistent with the highest control guidelines and standards in the data center industry.”

Passing an SSAE 16 audit merely demonstrates that the system description provided to (or developed by) their audit firm of choice was accurate and complete and that the controls they described (again not based on any written standard for data centers or otherwise) were described accurately.  Note that the article does not specify if this was a Type I or a Type II report.  Based on the level of hyperbole utilized in this release, I’m betting it was a Type I report.  If that is accurate, then passing the audit merely means that the independent accounting firm that produced the report agreed that the design of the controls that C7 presented to the auditors was adequate.  No testing as to whether they were actually working as described would have been conducted.   In fact, the opinion letter would include something like, “Our responsibility is to express an opinion on the fairness of the presentation of the description and on the suitability of the design of the controls to achieve the related control objectives stated in the description, based on our examination.”

In other words, based on what you told us, the design of the controls is suitable.  Nothing more, nothing less.

Now, about their auditor.  The new SSAE 16 standard is very clear that these reports “focus solely on controls at a service organization that are likely to be relevant to an audit of a user entity’s financial statements.”  So the question becomes, what relevance does a colocation provider’s services have to the financial statements of their customers?  The obvious answer is little or none.  So why did their auditors agree to perform the SSAE 16 audit in the first place?  The short answer is “Because the customer is always right”.

Look back at my prior blog entry to see that my predictions are coming true already.  Sometimes I hate being right.