SSAE 16 certification for Vendor Portals – There is a new standard in town.
In April 2010, the American Institute of Certified Public Accountants (AICPA) created a new standard for in-depth audits of third-party service organizations. This new certification was called the Statement on Standards of Attestation Engagements Number 16 or SSAE16. It replaced the Statement on Auditing Standards Number 70 or SaS70.
The AICPA felt it necessary to make the changes because the SAS 70 regulation was never designed for certain service organizations that offer colocation, managed dedicated servers or cloud hosting services.
Additionally, SAS 70 did not set any standards for data center excellence; it merely verifies that the controls and processes set in place by a data center are followed. Additionally, no certification exists for SAS 70, only an auditing process. The problem arose that the data center service industry required some certification of excellence.
The two chief alterations in SSAE 16 is that The SSAE 16 standard not only verifies controls and processes but also requires a written assertion regarding the design and operating effectiveness of the controls being reviewed.
The SSAE 16 audit will result in a Service Organization Control (SOC) report. The SOC report focuses on internal controls over financial reporting and has some different variations that are important for all of us to understand. There is a great breakdown of the three different types of SOC reporting on the Online Tech website.
A SOC 1, Type 1 report focuses on the auditors’ opinion of the accuracy and completeness of the data center management’s design of controls, system and/or service. A SOC 1, Type 2 report includes Type 1 and an audit on the effectiveness of controls over a certain time period, normally between six months and a year.
SOC 2 and SOC 3 provide pre-defined, standard benchmarks for controls related to the security, availability, processing integrity, confidentiality, or privacy of a system and its information.
A SOC 3 report is for general use, and provides a level of certification for data center operators that assure data center users of facility security, high availability and process integrity. While a SOC 2 report includes service auditor testing and results, a SOC 3 report provides only the system description and auditor opinion.
SSAE 16 Certification Elements for SaaS Based Vendor Portals
Each SOC engagement requires the use of an appropriate strategy to evaluate the theme. Suitable criteria must have the following attributes.
Criteria should be free from any forms of bias.
Controls should allow reasonably consistent measurements of subject matter, which is both qualitative and quantitative.
The criteria must be sufficiently complete to include all applicable factors that would modify a decision about the subject matter.
All of the criteria must be critical and pertinent to the subject matter
In my experience, the SSAE 16 certification is a much more difficult standard as it forces the auditors to evaluate the ongoing commitment of management to continually evaluate and improve their controls. A healthy organization needs to be actively asking the question of how they can improve their controls and they need to document their efforts.
When considering a provider for your Vendor Portal you must insist on that provider having a current SSAE 16, SOC 1, Type 2 certification. It is very important that you accept nothing less.