Think about the last time you bought hosting or software services from an IT vendor. Was “SAS 70 Certification” included in your vendor evaluation criteria? If so, the following may trouble you:
“The way SAS 70 reports are being marketed, service organizations are implying a level of assurance and trust that simply doesn’t exist,” says Dan Schroeder, a partner with accounting firm Habif, Arogeti & Wynne and chairman of the AICPA’s Information Technology Executive Committee. “It is grossly over the top.”
This quote was published in 2010. It’s even more troubling that three years on, there is still a heavy reliance on SSAE 16, the successor to SAS 70, as a “certification” that systems are secure.
There is a ton of confusion in the marketplace around this particular subject – especially when cloud is being considered as a delivery model. What’s worse: Many buyers don’t know that SSAE 16 has very little bearing on security, because its sole purpose is to provide an “attestation” on the design and effectiveness of internal controls over financial reporting (as was SAS 70).
Why the confusion? According to my good friend Nazif Sharique from UHY Advisors, “not much effort has been made by the profession to bring clarity to this issue and to guide service providers to help them make the right attestation decisions.” If providers are not clear, buyers won’t be, either.
To clear up confusion, I usually recommend clients focus on the specific types of reports that the provider can produce during the evaluation. Once you know this, you can back into what type of audit the provider has undergone:
- A SOC1 report is produced from a SSAE 16 audit. SSAE 16 is the successor to SAS70, so the easiest way to look at a SOC 1 report is as a replacement for a SAS 70 report. As mentioned previously, SSAE 16 is focused on internal controls related to financial reporting, not specific IT systems or solutions.
- A SOC2 report is, unlike the SOC1, focused on attributes of systems — security, availability, processing integrity, confidentiality and privacy. Collectively, these attributes make up the “Trust Services Principles” framework. Importantly, with a SOC2 report, a service provider must map its processes against this framework. The benefit: Given that providers have to map against a standard, customers are in a much better position to perform an apples-to-apples comparison between providers. The drawback: Providers get to pick which attributes they want to map against, so it’s important to vet the SOC 2 report thoroughly.
- A SOC 3 report is very similar to a SOC2 report. The key difference is that it can be used as a marketing tool with the general public, unlike a SOC2, which is limited to management, customers, auditors and prospects (usually under a nondisclosure agreement).
And there’s one more plot twist to the SOC story. For all three reports, there are two types. A Type 1 report includes the service provider’s description of the system, and the auditor’s opinion about the suitability of the design of the controls over this system. A Type 2 report includes all of the above and the auditor tests the operating effectiveness of the controls over a period of time.
This is key.
With a Type 1 report, you’re only getting a third-party opinion on the design of the controls – not confirmation that the controls actually work. Remember that if you’re in the market for cloud services, especially multi-tenant cloud services, providers may not let you audit them directly. So, do you want to buy cloud services that 1) have not been audited by a third party and 2) you can’t audit yourself? I don’t.
Given all these changes, what is a buyer to do? Refresh your vendor security checklists and make sure a SOC 2, Type 2 report is “must have” as part of evaluation criteria – especially if you’re considering shared cloud services and the provider limits your ability to audit. You also should insist on seeing the detailed results.
This of course does not mean that a SOC 2, Type 2 is all you need to make a proper evaluation. A slew of other due diligence should be included, as well as evidence of other certifications, attestations and standards that are important to you and your business (e.g., PCI, HIPAA, FedRAMP). However, the SOC 2, Type 2 can increase your confidence that the provider is actually doing in practice what they told you in theory during the sales cycle.About the author
Stanton helps enterprise IT and sourcing leaders rationalize and capitalize on emerging technology opportunities in the context of the global sourcing industry. He brings extensive knowledge of today’s cloud and automation ecosystems, as well as other disruptive trends that are helping to shape and disrupt the business computing landscape. Stanton has been with ISG for more over a decade. During his tenure he has helped clients develop, negotiate and implement cloud infrastructure sourcing strategies, evaluate and select software-as-a-service platforms, identify and implement best-in-class service brokerage models, and assess how the emerging cloud master architecture can be leveraged for competitive advantage. Stanton has also guided a number of leading service providers in the development of next-generation cloud strategies. Stanton is a recognized industry expert, and has been quoted in CIO, Forbes and The Times of London. You can follow Stanton on Twitter: @stantonmjones.