Two of the most common audit standards for data center and cloud service providers are SOC 1 and SOC 2, with the SSAE 16 Type II control containing both of them. These standards are created by the Auditing Standards Board (ASB) of the American Institute of CPAs in order to assure the customers of service providers that controls around services are operating securely and effectively.
Every so often, ASB revises these standards. In 2017, the SSAE 16 (which stands for Statement on Standards for Attestation Engagements — yes, these audits are frequently a mouthful) has been replaced by SSAE 18 for all audits dated May 1st and later.
Let’s take a look at why data centers and cloud providers certify under SOC 1, SOC 2, and SSAE — and see how the SSAE 18 changes might impact them in 2017.
SOC 1 places its emphasis on service provider operations that can affect customer financials, including business processes and IT systems.
One of the reasons SOC 2 was added was due to the proliferation of cloud computing services and the trend for businesses to outsource their IT infrastructure to service providers. This created liability concerns that are addressed by the audit controls.
Both can have a Type I or Type II. Type I certifies a single moment in time, while Type II describes general controls and business operations and stands for generally one year in duration.
The audits include an opinion letter describing the overall report; management’s assertion that the report is accurate; a description of the service provider’s system including policies, procedures, employees, processes, and operations; a description of the tests of the described controls; and a catch-all “other information” section for areas not tested like disaster recovery.
In layman’s terms, SSAE = SOC (which stands for Service Organization Control, if you’re wondering). These controls are certified via third party audit and are essentially a stamp of approval proving that service providers meet minimum standards of data handling, management, availability, security, and so forth.
Talk to one of our experts today.
SSAE 18 is now the catch-all report for all organizations, going forward from May 1st, 2017. For service providers, SSAE 18 includes these changes:
CSOCs, or complementary subservice organization controls, must be documented. Service providers that use other service providers for key functions must include them within their design of the system description. One way to easily include the description of subservice organizations’ controls is to request a SOC 1 from those organizations (what a nesting doll of regulatory documentation!)
In addition, subservice organization monitoring practices must be included in your controls. This belongs in the management description section rather than control testing by the auditor. Control suggestions for subservice providers include:
Another change to the management description is that service providers must themselves identify controls necessary to achieve the stated objectives. In other words your Director of Compliance, Compliance Officer, or Operations Manager (or whichever role manages compliance) should list the security controls, business processes, employee stakeholders, firewalls, antivirus/antimalware tools, IPS/IDS, encryption, and so forth that combine to meet the requirements of the audit.
The philosophy here is that by identifying these controls yourself, you are instructing the auditor to test them as proof that they stand up the objectives. Any non-essential controls should be removed from the description as part of these revisions.
Finally, management’s assertion now includes a set of minimum criteria, which is intended to make SOC reports more consistent and comparable between different organizations.
There are some additional minor changes concerning the definition of “misstatement” and formatting of service auditor’s opinion, but the most important changes for service providers are listed above. To learn more about SSAE 18, you can dig through the standard paper from AICPA.