SAS 70 vs. SSAE 16: What’s the Difference?

Brian Wood Blog

AIS-Frank-GaffFor years SAS 70 was touted on a number of websites for businesses offering data center services. It was the equivalent of the “Good Housekeeping” stamp of approval since its inception as a cornerstone audit in 1992.

SAS 70 was retired in 2011 and in its place is SSAE 16.

AIS first achieved compliance for the SSAE 16 SOC 1 as well as the AT 101 SOC 2 reports in 2011 in order to provide assurance to customers of appropriate controls.

The real difference between SAS 70 and SSAE 16 is that the latter reports have an attestation component, which is to say management is required to provide a written assertion regarding the controls designs, objectives, and implementation.

Basically, management asserts that it has X controls which provides Y functionality or service, an auditor checks that X exists and is functioning properly for the length of the sampling period, and that it is the proper control to provide the specified solution.

Management is then required to sign written assertions attesting that they agree with the final document and conclusions.

These changes bring the reporting much closer to a Sarbanes-Oxley style reporting structure as well as moving the American Institute of Certified Professional Accountants (AICPA) standards closer to the International Federation of Accountants standards.

The AIS controls matrix covers all aspects of the business, including but not limited to:

  • Service Delivery
  • Solutions Design
  • Computer Operations
  • Logical and Physical Security
  • Change Management
  • Incident Management
  • Disaster Recovery / Business Continuity Planning

For clients and their auditors, the SSAE 16 framework represents a significant upgrade over the older SAS 70 reporting. The attestation requirement forces senior management to more fully commit to the existence and status of controls, and it provides improved assurance that the required controls truly exist as described.

Always insist on reviewing the audit report.

About the Author

Frank Gaff is VP of Service Assurance and Chief Compliance Officer. He has over 30 years of experience in IT, data center, and telecommunications operations. At AIS, he is responsible for the Service Delivery and Client Services organization, managing the client experience from order entry to service implementation and on-going 24x7x365 client support.

Mr. Gaff took over responsibility for compliance and drove company efforts to complete the SSAE 16 SOC 1 Type 2, the SSAE 16 SOC 2 Type 2, and the SSAE 16 SOC 3 audits for our San Diego and Phoenix enterprise-class data centers. He also spearheaded the AIS Change Management and Incident Management procedures that were developed and implemented using the Information Technology Infrastructure Library (ITIL) architecture.