When assessing technology options and evaluating outsourced IT providers, there are a number of questions hedge fund managers should be asking in order to make the best decision for their firms.
As we talk with investment managers – especially those whose firms are considering a move to the cloud – we’re hearing many of these great questions on an increasingly regular basis. One particular area where there tends to be some confusion, however, is the topic of audit standards which govern service organizations and the data centers they manage on behalf of client firms. To help you navigate through the evaluation process, we’ve pulled together a guide to understanding audit terminology and industry standards.
Audit Terminology Defined
You’ve probably heard several different audit-related terms being used to assess service organizations and data center quality. Here are some of the most important terms to be familiar with:
This stands for the Statement on Auditing Standards No. 70, which was developed over 20 years ago by the American Institute of CPAs (AICPA) primarily to report on the financial controls of service organizations. It was later adapted (inconsistently – more on that later) in an attempt to report on non-financial controls. Clients and end users often request to see the results of a provider’s SAS 70 audit, as this was believed to demonstrate that the provider has undergone a comprehensive examination of its financial controls and related processes.
The issue with a SAS 70 audit is that it simply verifies that a data center manager has certain controls and processes in place. There’s no benchmark to which providers are held accountable. Therefore, a data center with very robust data protection measures could achieve the same level of audit as one with relatively weak controls in place. The only true way these differences are expressed is within the lengthy SAS 70 audit report which is time consuming to read and complex to decipher.
Last year, the AICPA acknowledged the deficiencies of the SAS 70 standard in its abilities to provide in-depth information on a service organization’s non-financial controls or enable user organizations to effectively compare service providers. As a result, the group elected to replace SAS 70 with new standards which better reflect the quality of these providers.
As of June 15, 2011, SSAE 16 (Statement on Standards for Attestation Engagements No. 16) effectively replaced SAS 70 as the authoritative guidance for reporting on controls at a service organization. According to CPA firm Feeley & Driscoll, this new audit standard better accommodates international businesses, as it is on par with similar global standards such as ISAE 3402. Additionally, a SSAE 16 audit provides much more detailed and accurate information for all stakeholders of service organizations.
According to the updated standards, an audit that is conducted under SSAE 16 results in a SOC 1, or Service Organization Control No. 1 report. This report is focused on the internal financial controls of the service provider. SOC 1 reports are intended for use only by existing data center clients and are not recommended for prospective customers or the general public.
SOC 2 provides much more stringent guidelines than SAS 70 or SSAE 16, and is specifically designed to assess the quality of data centers and service organizations. SOC 2 and SOC 3 combined provide a benchmark against which two data center audits can be compared using the same set of relevant criteria – a major enhancement to previous audit standards.
Specifically, SOC 2 reports focus on the service provider’s non-financial controls which are referred to as Trust Service Principles: Security, Availability, Processing Integrity, Confidentiality and Privacy. An organization is not required to meet all five of these principles in a SOC 2 engagement, but they do provide a more comprehensive evaluation of the provider and its data centers.
SOC 3 is similar to SOC 2 in that it provides a similar level of assurance regarding the five Trust Service Principles. The primary difference is that a SOC 3 report is intended to be released publicly. As such, it contains a less detailed summary opinion provided by the auditor which gives an overview of the effectiveness of the controls that the data center or service organization has deployed.
The transition from SAS 70 to new audit standards is a welcome change for the outsourced technology industry. SOC reports provide data center operators and service organizations with a more comprehensive set of guidelines on which to base their controls and policies. They also benefit clients and end users, as they provide better assurance that providers are meeting high standards when it comes to security, availability, processing integrity, confidentiality and data privacy. Essentially, these new audit standards have raised the bar, leading to what is sure to be a more effective and efficient future for data center technologies.
For more information on data centers and outsourced technology options, be sure to check out these articles and resources, or explore Eze Castle's cloud computing services: