What is SSAE-16: 2 Report Types & Critics


Logo of the United States Government Accountab...
Logo of the United States Government Accountability Office. (Photo credit: Wikipedia)

Hosting Company Auditing and Certification — Part 2 of 3

Along with Superb Internet’s staff certification for ITIL (covered in Part 1 of this series) and our ISO 9001:2008 certification and registration (Part 3), we are also SSAE-16 Audited.

“Oh, fiddlesticks, that’s a government-infiltration agenda if I ever saw one.”

Man – you again? OK, well, let me explain it. Just, give me a chance here. SSAE-16 (Statement on Standards of Attestation Engagements, #16) was created by the American Institute of Certified Public Accountants (AICPA) as a system of cut-and-dry standards which a business must follow with its finances.

“Must follow. Must follow the lemmings down to Mongoose Hollow.”

Mongoose Hollow … huh, that must be your euphemism for the IRS? Anywho, attestation engagements are worth a quick look. Let’s turn to the U.S. Government Accountability Office (GAO), a governmental agency run by the Comptroller General that “works for congress” (though with its own independent sets of controls) and “investigates how the federal government spends taxpayer dollars.”  According to its Auditing Standard 2.07, attestation engagements “concern examining, reviewing, or performing agreed-upon procedures on a subject matter or an assertion about a subject matter and reporting on the results.”

“Yeah boy!”

Um … I’ll move on. SSAE is extraordinarily difficult to understand – not because its parameters are difficult but because the only explanation of SSAE-16 on the website for the AICPA is at this URL: http://www.aicpa.org/Research/Standards/AuditAttest/Pages/SSAE.aspx.

“You and your capital letters and your big ideas, typing it all in, like the Central Insanity Agency ain’t watching ya.”

Sir, I’m just explaining an accounting method. So … the information from the organization that created the document itself has all information about it BURIED within its website. Additionally, the extent of the information is a massive PDF which includes the language for the standard itself and this explanation describing it: “Reporting on Controls at a Service Organization / This section addresses examination engagements undertaken by a service auditor to report on controls at organizations that provide services to user entities when those controls are likely to be relevant to user entities’ internal control over financial reporting.”

“Read that fourteen times, and it will finally make sense. Once it makes sense, that’s when you know they’ve got ya.”

Well, all right they have me. You win, buddy. Actually it’s much simpler than it sounds. Let’s look below on how to understand SSAE-16 so you know why it means we’re credible alongside our other certifications. We will look at the two types of certifications/reports you can receive. Finally, we will look at critiques to get a broader perspective on the topic – and how it differs from other financial audits.

SSAE-16 in Action

When you get SSAE-16 audited, a third party accounting company makes an assessment of the financial controls your business has in place. It then creates a report and opinion stating the findings of its investigation. The results of the audit make it clear whether or not the business has appropriate, baseline checks and balances in place within its service model so that users can breathe easy.

“I will never allow any man to investigate my machines. It’s unwholesome. Bunch of fellas looking at each other’s numbers.”

All right, that’s uncalled for. And who said it was a man, anyway? Please stop making assumptions. There are two kinds of audit reports. One, also referred to as a Type I audit, is entitled “Report on Controls Placed in Operation.” The other, the Type II version, is called “Report on Controls Placed in Operation and Tests of Operating Effectiveness.” Essentially the first report focuses on the types of controls that are likely operating during a certain window, aka “period of review” – but it does not completely verify that the controls were in placement at that time. The second provides that additional verification that the controls were in place.

“No one will ever either view or review me. That’s why I stay in my cellar with the squirrel artillery, waiting for everyone to leave town.”

Hm. Thanks for the input.

Do You Need SSAE-16 or Not?

The good news: this type of auditing is not legally required for any company that distributes a service. However, it’s possible it will be requested by an outside party – or may even be demanded by their own requirements – or by someone auditing a company that is using your service. Plus, it means it’s less likely that an outside auditor will need to audit your system in order to gauge risk because they will have a standardized assessment of your controls based on the SSAE Type II report.

“Type I, Type II – sounds like they’ve found yet another way to get diabetes into us: through our accountants.”

I don’t think this has anything to do with diabetes, sir. Like many organizations, the reason we choose to have this type of auditing performed is threefold:

  1. It gives us a chance to prove that, alongside our other certifications, we meet standards of legitimacy established by independent third parties.
  2. It gives us access to clients who require this type of auditing and otherwise may not be able to work with us.
  3. It provides another professional perspective on the accounting principles we have established internally.

“That sounds wonderful. Give the government all your business’s numbers, the keys to your house, and your eldest daughter.”\

Sir, that’s out of line. I’m just trying to go over some standards here. Please. A data center that is only used for internal business purposes will not necessarily need to have this type of auditing performed. However, those such as ours that provide a service can benefit from SSAE certification.

As Jeff Clark points out, SSAE-16, rather than being about your core business of the service itself – delivery of services to users –is centrally concerned with the financial needs of your clients. Keep that in mind. It’s why something such as ITIL, which has to do with the quality of service, is so important.

SSAE-16 Case Study: Acquia

Josette Rigsby looked specifically at one company, Acquia, a provider of products and services for use with Drupal (the open-source CMS), to get a sense of whether SSAE auditing can be helpful. She asked how the certification might be useful to vendors seeking to establish credibility.

“I sold cotton candy once at the state fair: no certification, no problem. Cash only. No receipts.”

Sir, we are talking about business services here, not cotton candy. A company such as Acquia, which has a cloud-based model, is able to quell fears among clients related to “security, lack of open standards to prevent platform/vendor lock-in and loosely defined service level agreements.” SSAE-16, however, does not cover all the bases to ensure business legitimacy. Additionally to SSAE, Acquia and other cloud service providers (CSPs) adopt the standards of organization such as OpenStack or CloudStack so that their system has been reviewed by external independent parties coming from numerous angles. Our business, similarly, has the ITIL and ISO certifications as well.

“My show pig Julie once won a certification at the Clarksburg Leaf & Stick Festival. She keeps it on her end table. She’s very proud of it.”

Excellent, tell her I’m rooting for her, and I hope she’ll root for me too.

Beyond SSAE: Why Multiple Certifications Matter

The controls reviewed by SSAE relate to a broad spectrum of business practices, including data backup and security, network maintenance and security, and customer support. However, it is not enough. Let’s see what two critics of the auditing procedure have to say about why the certification is only one piece of establishing legitimacy.

  1. Baseline Standards – As Jeff Clark notes, SSAE-16 auditing does not grade on a scale. It’s a “yes or no” set of parameters. Passing the auditing inspection simply means that a company has a reasonable set of baseline standards as established by the AICPA.
  2. Fuzzy Terminology – Josette Rigsby points out that a business can state during a review that its controls are fine regardless of the auditing process’s findings. If this occurs, the business can state that it has been SSAE audited even though it did not actually pass.

“I just passed gas, does that count? Where’s my certificate, buckaroo?”

Ah come on. We’re in a small room – have some respect. A loophole like that described by Ms. Rigsby means that additional certifications are essential to give clients and partners a better sense of your professional legitimacy. As far as Superb goes, our staff is ITIL Certified (a certification established initially by the United Kingdom government to provide IT standards so that they weren’t only developing independently, in some cases haphazardly, within businesses) as well as ISO 9001:2008 certified and registered.

“Wow, that last one has eight numbers. It must be important. Seven numbers, I would have said, ‘How about one more? Then you’ll have me impressed.’”

I think we’ve covered the fact that you don’t like or appreciate our certifications, sir. Here, have some chamomile tea.

How SSAE-16 Differs from Other Financial Auditing

If you get an audit, you’re typically just looking at your financial figures. SSAE focuses explicitly on how those figures relate to your services – how the services themselves are controlled and guided, and how the services interact with your financial system. An audit can give a sense that your financial system and finances themselves are efficient and sound, but that’s not your clients’ concern. The client cares that you have assurance specifically to your services, so they know that their information and processes are safe within your set of controls.

“I feel very safe. Hm. This tea is delicious. Do you have any honey? I don’t want to have to shake it out of the beehive again, that’s painful.”

Here you go. Drink up.

Summary & Conclusion

Though there are of course critics of SSAE-16, and though some of their concerns are valid, these types of certifications are incredibly important to letting our users know we are transparent about our internal policies. The standards we have adopted, and the analyses and examinations we undergo, allow us to simply and concisely express to our customers that

  1. we meet major industry standards; and
  2. we have undergone the scrutiny of multiple outside organizations to prove it.

by Kent Roberts and Richard Norwood