SOC 1: Why SSAE 16 is Still the King of the Hill

Posted by Chris Schellman
May 1st, 2012

When the American Institute of Certified Public Accountants (AICPA) released its Service Organization Controls (SOC) reporting structure in the latter half of 2011, some believed that the new SOC 2 concept of reporting on controls relevant to Availability, Confidentiality, Processing Integrity, Security, and/or Privacy using the prescriptive Trust Services Principles would play a prominent role in data center reporting.  In the several months that have followed, anecdotal evidence suggests that SOC 1 (aka SSAE 16), which is the successor standard to SAS 70, remains the clear favorite of data centers and that SOC 2 has yet to gain significant any traction.

In leading BrightLine, one of the world’s largest providers of SOC reporting services, I have the unique opportunity to monitor trends in SOC reporting.  I have observed that virtually every data center that previously underwent a SAS 70 audit has opted to continue with SOC 1 examinations.  Some of these data centers elect to couple their SOC 1 examination with an SOC 2 examination, while almost none have elected to forego SOC 1 in favor of SOC 2.

In addition, I have noted that a recurring set of questions are being posed by data center providers.  These questions, and the related answers, largely explain why SOC 1 / SSAE 16 remains so prevalent among hosting providers.  As such, I would like to take an opportunity to share my views on these issues.

Are data centers still valid candidates for SOC 1 examinations?

Yes.  Despite what you may have heard, there is currently no technical guidance prohibiting the application of SOC 1 to data centers so long as the data centers host systems relevant to user entities’ internal controls over financial reporting (ICFR).

Some people make the prima facie argument that hosting services have no obvious relevance to user entities’ ICFR, and thus, SOC 1 is not applicable to data centers’ services.  A more detailed review of the appropriate guidance reveals that this argument is a subjective interpretation devoid of authoritative support.  The AICPA’s SOC 1 guide directly contradicts this argument when it provides examples of valid candidates for SOC 1 examinations that, at first glance, are not obvious candidates for an SOC 1 examination.  This list includes ISPs, Web hosting providers, and ASPs, including those that “provide services similar to traditional mainframe data center service bureaus”. (Ref. Par. 1.06 of the SOC 1 guide)  Obviously, hosting services would fit quite comfortably within the range of these examples.

If we were seeking personal opinions on this matter, AICPA webinars would be an excellent source.  Interestingly enough, a panel of AICPA experts openly confirmed that SOC 1 is applicable to data centers when applicability requirements are met, during a recent SOC reporting webinar.  See the Q&A on this matter in the lower right corner of this screenshot – http://bizy.be/ttosO.

Beyond the guidance and expert opinions, we should consider market trends.  With major data center providers announcing completed SOC 1 examinations on a weekly basis, these trends clearly show that the industry and the “Big 5” of SOC reporting (BrightLine + “The Big 4” global accounting firms) agree that SOC 1 can be applied to data centers.  In other words, the debate about the applicability of SOC 1 to data centers is over.

Can data centers use SOC 2 as a substitute for SOC 1?

No.  The first paragraph of the SSAE 16 standard states that the purpose of SOC 1 examinations is to report on “[…] controls at organizations that provide services to user entities when those controls are likely to be relevant to user entities’ internal control over financial reporting.”  Paragraph 1.10 in the SOC 2 guide states that the purpose of SOC 2 is to “[…] report on a service organization’s controls other than those that are likely to be relevant to user entities’ internal control over financial reporting.”  This purposeful “poison pill” confirms that SOC 2 examinations cannot be used as a substitute for SOC 1 examinations.

Further guidance is found in the SAS 70 standard, which is still very much alive and has been revised to provide guidance to user auditors (i.e., the financial statement auditors of user entities).   Paragraph 24 of the revised standard requires that the user auditors obtain a “service auditor’s report on a service organization’s description of the controls that may be relevant to a user entity’s internal control as it relates to an audit of financial statements […]”.  As previously noted, SOC 2 cannot report on ICFR topics and is, therefore, not a viable alternative to SOC 1 for such purposes.

Are SOC 2 examinations “better” or “more appropriate” than SOC 1 for data centers?

No.  There is absolutely nothing in the current guidance that supports personal opinions that SOC 2 is “better” or “more appropriate” than SOC 1 for data center examinations.  Both guides contain unambiguous applicability requirements.  Data centers either meet the requirements for SOC 1 and/or SOC 2, or they do not.  In the absence of new AICPA guidance, all claims to the contrary are personal opinion and should be treated as such.

Is it true that SOC 1 does not address logical security, physical security and processing integrity topics?

No.  The notion that SOC 1 does not address security or processing integrity is one of the most common errors made by those unfamiliar with SOC reporting.  This error often sources to a misconception that SOC 1 examinations opine on financial reporting controls.  As I noted above, SOC 1 examinations actually report on controls likely to be relevant to user entities controls over their own financial reporting, of which security and processing integrity controls are highly relevant.  In fact, the SOC 1 guide includes multiple examples of control objectives and illustrative controls related to logical security, physical security and processing integrity of transactional services.  (Ref. Par. 3.63, 4.48 & illustrative reports of the SOC 1 guide, among many others)

Can data centers undergo both types of examinations?

Yes.  SOC 1 and SOC 2 examinations are not mutually exclusive examinations.  Data centers are often valid candidates for both SOC 1 and SOC 2 examinations.  They are part of a small portion of the overall service organization population for which this is likely to be true and worthwhile.

Why is this the case?  Because data centers normally host systems that are relevant to the ICFR of some customers and not for others.  Therefore, the former will only accept an SOC 1 report for reasons described above, while the latter are not authorized users of an SOC 1 report and may not rely on it to obtain assurance on topics such as availability, confidentiality, processing integrity, security and/or privacy.  So while nearly every data center that formerly underwent a SAS 70 examination is continuing with an SOC 1 examination to meet the needs of certain customers, many of those organizations are seeing value in coupling it with an SOC 2 examination for the benefit of other customers.

Conclusion

While SOC 2 has potential, SOC 1 remains one of the most important assurance tools for hosting providers.  Decision makers should recognize that data centers are often valid candidates for SOC 1 and SOC 2 examinations.  Those providers considering either type of SOC examination should realize that it is never a matter of SOC 1 vs. SOC 2.  The real decision is whether the organization should undergo an SOC 1 examination, and separately, whether the organization should undergo an SOC 2 examination.  It is often advisable to engage a CPA firm with significant SOC reporting experience in these discussions.  Such informed analysis may conclude that SOC 1, SOC 2, both, or neither, are appropriate for an organization’s particular circumstances.

Also published on Data Center Knowledge at http://www.datacenterknowledge.com/archives/2012/05/01/why-soc-1ssae-16-is-still-the-king-of-the-hill/

SocialTwist Tell-a-Friend

Tags: , , ,
Posted in Cloud Computing, SOC 1, SSAE 16 / ISAE 3402 | No Comments »

ISO 27001 Full Circle with Your Third Party Providers

Posted by Ryan Mackie
April 26th, 2012

My organization is seeking ISO 27001 certification but we outsource physical hosting to a third-party. 

How do I have to include that organization in the scope of my Information Security Management System (ISMS) when we are not responsible for those physical and environmental controls?

This question is common for organizations implementing an ISMS.  The struggle on how to treat a critical third party service provider occurs often when an organization is in the early stages of scoping their ISMS.  Some organizations attempt to scope the third party provider within their ISMS, which leads to difficulties when trying to treat the risks that might be applicable to a third party.  Other organizations take a more tolerant approach and “transfer” all applicable outsourcing risk to the third party service provider, without treating the risk at all.  The correct approach is actually somewhere in the middle.

Generally speaking, an organization must exclude a third party from their ISMS risk assessment process if the direct risks related to that third party cannot be reasonably treated by the organization.  For example, consider the physical access controls necessary to mitigate the risk that unauthorized access could be granted to production systems.  If the production systems are maintained at a third party data center, the organization is obviously not accountable for determining appropriate physical security controls, such as assigning access, granting access, monitoring access, and revoking access.

So, using the example described above, can the organization simply disregard consideration of these the issues under the guise that the third party data center is responsible for these risks and controls?  No.  As production systems would be considered a critical component of any organization’s ISMS, risk cannot be merely transferred to a third party.  There is inherent risk in any outsourced relationship and the greater the criticality to the ISMS, the greater the risk to the organization.  Management would be required to consider that risk and determine in what way that risk should be treated.

Controls applicable to the management and monitoring of third party service organizations are included within the ISO 27001 control set (specifically within A.6.2 and A.10.2).  While an organization cannot include the controls of a third party provider within their ISMS, they should have a process in place to evaluate and monitor the related third party provider controls to ensure that they are acceptably implemented and meet the expectations of the organization.  Evidence of that monitoring should be available as a record of the ISMS.

Though an organization’s certificate scope statement would not formally include the location and services of a third party provider, be sure that those services and locations would be included within the overall ISMS under the controls related to third-party management and monitoring.  Any appropriately designed ISMS must include a risk assessment process which considers risks related to the services provided by significant third parties such as data centers.

For more information about ISO 27001 visit BrightLine’s website.

SocialTwist Tell-a-Friend

Tags: ,
Posted in ISO 27001 / 27002, SSAE 16 / ISAE 3402 | No Comments »

Cloud Security Compliance – A Beautiful Mess

Posted by Ryan Buckner
January 28th, 2012

The following is a summary of thoughts based on an enthusiastic exchange at the Atlanta Chapter CSA Meeting on January 20th and was attended by BrightLine Shareholder Ryan Buckner.

First of all, I would like to say thank you to the host and the moderator for a truly fine job of creating this forum and to the attendees for their various perspectives.  The conference participants ran the gamut, and I was pleased to see representation from attorneys, accountants, consultants, and service providers.  As one would expect from the sizable audience, especially one with IT professionals, the conference demonstrated that the challenges the cloud community faces can be messy, but the conversations they spurn can be interesting and honest, and well …beautiful.

Much of the meeting brought to mind the old saying that “it is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail.”  Our meeting was filled with various types of stakeholders, each with their own hammer.  The problem is that nobody seems to know if the problem is a nail.  As a practicing CPA and CISSP that manages over 100 SOC projects a year, I attempted to help provide clarity to the participants on SOC reporting topics.  There is still much work to be done in this area.  Others probably felt the same way about their respective “hammers”.

It felt premature to discuss solutions without the proper working groups.  I am also concerned that existing CSA research and guidance has not been given proper consideration.  If so, it would be pointless to waste time re-inventing CSA’s wheel or drafting solutions that are not in line with the general trajectory of CSA’s plans.

There was a healthy discussion on the usual compliance suspects with particular attention to the AICPA’s SOC reporting framework.  Although many seemed to have an opinion on this topic, I can report from the front lines that SOC 1 for cloud providers is prevalent and will remain that way so long as customers demand it.  My guess is that SOC 2 examinations make up less than 1% of all SOC examinations performed to date.  For that reason, I would be hesitant to hang my hat on it at this time.  But in a broader sense, I’m not convinced that the accounting industry should be the first place we look for solutions anyway.

Hopefully my contributions were helpful.  Certainly, the challenges are of the sort where more communication is probably better, and competence is a necessity.  It is clear the cloud community needs continued awareness, education, and sound guidance on these issues, and given that, the host’s efforts today are certainly part of the solution.  I was glad to attend, and look forward to the next discussion.

SocialTwist Tell-a-Friend

Tags: , , , ,
Posted in Assurance / Service Audits, Cloud Computing, ISO 27001 / 27002, SOC 1, SOC 2 | 1 Comment »

« Older Entries