04-11-19 | References

SAS 70, SSAE 16 and SOC Comparison


What is SAS 70?

SAS 70 is the old standard that was never designed for certain service organizations that offer colocation, managed dedicated servers or cloud hosting services. It was initially established to provide auditors information and verification about data center controls and processes as it relates to the data center user and their financial reporting.

A SAS 70 audit does not set any standards for data center excellence; it merely verifies that the controls and processes set in place by a data center are actually followed. Additionally, no certification exists for SAS 70, only an auditing process. The problem arose that the data center service industry required some type of certification of excellence.

What is SSAE 16?

The SSAE 16 (Statements on Standards for Attestation Engagements No. 16) goes beyond SAS 70 by not only verifying the controls and processes, but also requiring a written assertion regarding the design and operating effectiveness of the controls being reviewed.

SOC 1 vs. SSAE 16

The SSAE 16 audit will result in a Service Organization Control (SOC) 1 report. This report focuses on internal controls over financial reporting. A SOC 1, Type 1 report focuses on the auditors’ opinion of the accuracy and completeness of the data center management’s design of controls, system and/or service.

SOC 1, Type 2

A SOC 1, Type 2 report includes Type 1 and an audit on the effectiveness of controls over a certain time period, normally between six months and a year.

SOC 2 and SOC 3

SOC 2 and SOC 3 provide pre-defined, standard benchmarks for controls related to the security, availability, processing integrity, confidentiality, or privacy of a system and its information.

SOC 3 report is for general use, and provides a level of certification for data center operators that assure data center users of facility security, high availability and process integrity. While a SOC 2 report includes service auditor testing and results, a SOC 3 report provides only the system description and auditor opinion.

A culture that’s compliant to the core

At Otava, cloud compliance and security are practices that are natively baked into our people, processes, and technologies, not bolted on afterwards. Our defense-in-depth approach encompasses administrative, physical, and technical safeguards to protect your data in not one but three ways. We offer a whole host of cloud security compliant solutions that keep mission-critical data and systems safe and protected. If a personalized, compliant solution is what your organization needs, talk to an Otava rep today!


Find more information about SAS 70, SSAE 16 & SOC:

SOCs and SASs: The New Standards for Service Organization Controls Reporting
SAS 70, SSAE 16, SOC 2 and SOC 3 Data Center Standards

Other Related Articles:

Attn, Healthcare Industry: SAS 70 is No Zombie
Although SAS 70 (Statement on Auditing Standards) has been dead for quite some time now, we’ve found that those lagging in the health IT industry may still be confused about why SAS 70 is no longer the audit to look … Continue reading →

Data Center Standards Cheat Sheet: From HIPAA to SOC 2
With the confusion regarding what audits and auditor reports apply to certain aspects of data center standards, I felt the need to create a basic data center/hosting solution audit cheat sheet to simplify matters. Here’s your comprehensive guide to data … Continue reading →

SOC 1, SOC 2 & SOC 3 Report Comparison
In April 2010, the AICPA (American Institute of Certified Public Accountants) announced the replacement of SAS 70 by a new and refined auditing standard, the Statement on Standards for Attestation Engagements or SSAE 16. While SAS 70 was originally intended … Continue reading →

What is a Service Organization Control (SOC) 2 report?
Introduced in 2011, Service Organization Control (SOC) reports are becoming more and more popular in data security and compliance discussions with every passing year, especially … Continue reading →

About Otava

Otava provides the secure, compliant hybrid cloud solutions demanded by service providers, channel partners and enterprise clients in compliance-sensitive industries. By actively aggregating best-of-breed cloud companies and investing in people, tools, and processes, Otava’s global footprint continues to expand. The company provides its customers in highly regulated disciplines with a clear path to transformation through its effective solutions and broad portfolio of hybrid clouddata protectiondisaster recoverysecurity and colocation services, all championed by an exceptional support team. Learn more at www.otava.com.


Overwhelmed by cloud chaos?
We’re cloud experts, so you don’t have to be.

© 2024 OTAVA® All Rights Reserved