SSAE 16 and SOC Insights – Data Centers and Colocations
Service Organization Control Reports and Data Center Compliance
The new SOC reporting framework provides service organization with better options for reporting on their internal controls. This reporting framework replaces the old SAS 70 standard. The new framework gives data centers and service organizations with three reporting options i.e. SSAE16/SOC 1, SOC 2/TSP and SOC3/Systrust.
Reckenen conducted a survey of data centers and colocations to understand the adoption of the SOC standard and found the following three key insights:
1. SOC 2 Reporting Standard Is Gaining Popularity For Data Centers
In 2012, SOC 2 reports were about 7% of the total SOC based audits conducted for data centers, while in 2013 so far 14% of the audits have been for SOC 2, a YOY growth of 100%. Reckenen Inc. surveyed 91 data centers and found that 90% of the colocations data centers are SOC compliant. 82% of the data centers are SOC 1 or SSAE16 audited. The remaining 18% are either SOC 2 or SOC 3 compliant.
Please read the article under industry perspectives on Data Center Knowledge.
2. “Client Needs” Is The Top Reason For SOC Compliance
Data centers quoted the following reasons.
- The customers of the data center are asking for a SOC certification.
- Their competitors have a SOC certification so they want one as well.
- The data centers without SOC certification are not being invited to bid on significant contract opportunities and they feel that having a SOC certification will enable them to bid on these contracts.
When we put these reasons together, a consistent message seems to emerge; SOC certification represents a competitive advantage.
3. Most Data Center Choose End Of Year For Compliance Audits
Over 40% of the SOC audits are performed in Q4 of each year to facilitate user organizations end of the year audits and compliance needs under ICFR. Most of the data center engagements cover 6 months while some organizations cover 12 months of period. Although, there is no set criteria or minimum requirement for the period covered under SOC 2, for SOC 1/ SSAE 16, 6 months is generally the minimum.
For SOC 2, the auditor should consider whether a report covering that period will be useful to users of the report, particularly if many of the controls related to the applicable trust services criteria are performed on a monthly or quarterly basis. The practitioner would need to use professional judgment in determining whether the report covers a sufficient period.
Reckenen conducted a survey of 91 data centers randomly sampled from a list of over 1100 data centers from http://datacentermap.com. We identified if an organization had gone through SOC compliance by checking the seal in case of SOC 3 or by any media press releases about the audits.