SSAE 16 does not measure control points such as security, availability and privacy. It measures the financial controls of a service organization, similar to what SAS 70 used to measure.
SOC 2 does evaluate the design and operational effectiveness of a data centers' controls, but it is an entirely separate audit and report from SSAE 16.
SOC 1 measures financial controls, and is essentially the same as SSAE 16.
We see a lot of confusion in the data center industry over this topic as companies attempt to undergo the audits and produce reports, and have written extensively to attempt to clear it up - try reading:
http://resource.onlinetech.com/a-soc-of-a-different-color-critical-difference...
Cbeyond Achieves SSAE 16 SOC 2 Certification for Louisville Data Center
Categories: Technology News Cloud Computing
Cbeyond, an IT service provider, has a Louisville data center that is now operating under Statement on Standards for Attestation Engagements (SSAE) 16 Type II SOC 2 certified controls. According to the company, Cbeyond is one of the first cloud providers to receive such certification.
SSAE 16 SOC 2 is considered the second generation data center audit standard, and evaluates the design and operation efficiency of a center's controls against a strict series of international standards. SSAE SOC 2 reports replaced SAS 70 Type II audits as the benchmark compliance report for organizations impacted by compliance and regulations, including HIPAA, PCI, and SOX.
Tags
:
CbeyondSSAE 16 SOC 2
January 3, 2012 10:59 AM
January 20, 2012 8:49 AM
"SOC 1 measures financial controls, and is essentially the same as SSAE 16." It's not "essentially the same". SOC 1 and SSAE 16 are the same. SOC 1 is simply a marketing term created by the AICPA to help sort out the new reporting options. The two terms are interchangeable.
SSAE 16 may cover security and availability if those topics are relevant to user organizations internal controls over financial reporting. It is case dependent, however, security is included in some form in virtually every report issued by one of the major CPA firms. Sometimes it is in the form of a dedicated control objective. Other times it related controls are scattered throughout various control objectives.
SOC 2 is used when the services that are the scope of the examination have no bearing on customers' internal controls over financial reporting. In such cases, CPAs are prohibited from applying SOC 1.
To state that SOC 1 measures financial controls too loose of a description. In short, SOC 1 is designed to provide a CPA's opinion on the fairness of presentation, design and, in most cases, operating effectiveness of a service providers controls that are relevant to the financial reporting controls of the customers of a service. The controls themselves may have no relation to "financial controls" and never relate to the entities own financial reporting controls, except to the extent that there is coincidental overlap.
RSS
