Man driving into Jiffy Lube, car sputtering and smoking.
Attendant: "Looks like you need an oil change buddy."
Buddy: "Yep, I think so. I was here last week and I think they used the wrong oil!"
Attendant: "Nah, we wouldn't do that. In fact we only have one kind of oil here and that's SAS 70."
Buddy: "Well, that's odd; I am told that I need SSAE 16 for mine to work right."
Welcome to my world! We have SAS 70 today, but soon we will have the new synthetic, non abrasive, engine-cleaning SSAE 16. Sounds fun right? I sure hope so.
Why the change? Good question. When SAS 70 first appeared in the early 90s, the world's economies weren't quite as intertwined as they are today. It was much harder to do business globally than it is now. (I think the "fad" called the internet has a little something to do with that but I could be wrong!) Now that the oceans have shrunk to a more manageable size, there is a need for the standards that companies use worldwide to match more closely. The goal of the U.S. Statement on Standards for Attestation Engagements 16 (SSAE 16) is to meet a more uniform reporting standard.
What's the difference? It's an "attestation" not an "audit." Google and thefreedictionary.com define attestation as "To affirm to be correct, true, or genuine," and audit as "an inspection, correction, and verification of business accounts." Though they are closely related, they mean different things.
What stay's the same? The focus will still be on controls at service organizations when the controls are relevant to their user entities' internal control over financial reporting. (For some reason, servers tend to have quite a bit to do with that!) There will still be a Type 1 and Type 2 with similar scopes in format. The reports will look very similar but they should be a bit more descriptive. The report will still be used in the same methods and by the same type of user.
What Changes? SSAE 16 is now an attestation and not really an audit. The service auditor will still provide an opinion but it will align itself more closely with existing international attestation standards.
- Written Management Assertion - Management will be required to provide an assertion, to be included in the report, stating the system is fairly represented, suitably designed and implemented and the related controls were suitably designed to achieve the stated control objectives, and that the controls operated effectively throughout the period. The report will reference that management is responsible for preparing the system description, providing the stated services, specifying the control objectives, identifying the risks, selecting the criteria and designing, implementing and documenting controls that are suitably designed and operating effectively. The auditor's opinion remains in the role of providing assurance, not as the entity responsible for the communication.
- System Description - The more inclusive description must detail the services covered, classes of transactions, events other than transactions, report preparation processes, control objectives and related controls, complementary user controls and other relevant aspects of the organization's control environment, risk assessment process, information and communication systems, control activities and monitoring controls. (I think an accountant came up with all of that!)
There are quite a few other differences but I think these are the big headliners. SoftLayer is committed to making this change and having it available for our customers that require it. Our normal SAS 70 schedule is Nov. 1 – Oct. 31 but we will be accelerating the process to have the SSAE 16 in place as soon as possible.
We are continuously looking at other compliance, reporting, audits and certifications. If you have any that would help you and your business, let us know.