Never does plain English seem more beautiful than when you run up against a bunch of industry jargon—particularly when that jargon focuses on compliance with legislation or regulations. So, put your thinking cap on and ignore everything George Orwell said; let’s try to take a brief (and certainly less than comprehensive) look at SSAE 16 certification in the context of data centers.
Get Ready: What Is SSAE 16 Certification?
Try googling “what is SSAE 16 certification.” You’ll find mostly press releases announcing that some company has obtained or is working toward SSAE 16 certification; these news items then explain briefly how wonderful that is. But finding some simple, easy-to-understand information about exactly what SSAE 16 is and what benefits it can really have for your data center is a bit of a challenge. One option, of course, is to go to the source: consult the AIPCA (American Institute of Certified Public Accountants) Statements on Standards for Attestation Engagements—already a mouthful—to find the relevant section on SSAE16: Reporting on Controls at a Service Organization.
The first paragraph of the introduction sets the stage: “This section addresses examination engagements undertaken by a service auditor to report on controls at organizations that provide services to user entities when those controls are likely to be relevant to user entities’ internal control over financial reporting. It complements AU section 324, Service Organizations, in that reports prepared in accordance with this section may provide appropriate evidence under AU section 324.” Right. Forget that. Let’s try to boil it down a little more.
The AIPCA states a little more clearly, “Service Organization Control (SOC) reports are internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service.” In particular, the SOC 1 report, “Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting,” is relevant to SSAE 16. The SOC 1 report is divided into two types: Type 2 deals with “the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period”; Type 1 deals with “the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.”
A table at the AIPCA website identifies organizations that might find the SOC 1 report appropriate as those customers will use the report to conduct audits of their financial statements and those customers who will use the report to comply with financial regulations such as Sarbanes-Oxley. So, basically, SSAE 16 certification applies to auditing standards for financial matters, particularly when a company’s customers are receiving services from that company in regard to such matters. SSAE 16 is a replacement for SAS 70. Am I starting to sound like a lawyer? This sort of thing should be no surprise when the grand master of fiscal irresponsibility (the U.S. federal government) passes laws telling everyone else how to be transparent and honest about their finances. Legislation such as Sarbanes-Oxley always creates industries that must deal with the resulting mess (for instance, the tax return preparation business, which results from the inscrutable tax code).
Get Set: Do You Need SSAE 16 Certification?
If you’re just running a data center that provides internal resources to employees for, say, product development or research, you probably have no use for such SSAE 16 certification. If you’re a colocation provider, however, and you wish to serve a broader range of customers, then certification can be beneficial. Customers that have strict security and confidentiality requirements for their data might insist on SSAE 16 certification from service providers. For (a precious few) more details on SSAE 16 certification and its applicability, see “Understanding the SSAE 16 Type II Certification.”
As with any certification, SSAE 16 isn’t about offering a superior service—it’s simply a recognition that your services meet a minimum set of standards. And in this case, it’s not about your core business (delivering IT or data center resources as a service)—it’s about your customers’ business needs. That means the best person to consult about SSAE 16 (that is, whether you need it and whether you would be able to obtain it) isn’t the data center manager, it’s your company’s financial staff (whether in house or contracted).
Determining if SSAE 16 certification is right for your data center depends on your clientele and whether you want to expand that clientele by demonstrating certain safeguards for customers. Like all certifications, SSAE 16 is an added expense and can cause some disruption to service, so it’s not something that you “might as well have.” Be sure, before pursuing it, that it can provide sufficient returns to justify the cost—just like in any business decision.
To this end—and to the end of better understanding exactly what SSAE 16 certification is—you should consult with your financial staff or a CPA knowledgeable in this area. Unfortunately, these types of matters crop up for data center companies: regulations in one industry (such as Sarbanes-Oxley for the financial/corporate sector) often bleed over into other industries. Certifications like LEED or Energy Star (for example), which help establish the efficiency of your actual services are insufficient for some customers. Because some of these customers must jump through certain hoops, they may require you to do so as well, as a prerequisite for doing business. That’s the sad reality, where regulations rule the day, rather than simply leaving room through fair, affordable legal representation as a means of addressing fraud and contract breaches.
At this point, you should fully understand what SSAE 16 is and how it can benefit your data center. Yes, that’s a joke. But you should at least recognize the potential value SSAE 16 certification can have if you’re providing data center services to a variety of corporate customers. Pursuing certification may or may not be a wise decision for your company, but being aware of this area is beneficial if your company provides colocation or similar services.