SAS 70, SSAE 16, SOC Reports and Your IT Infrastructure
In 1992, the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) issued its Statement on Auditing Standards No. 70 (SAS 70) to help guide independent, third party auditors reporting on controls at service organizations. SAS 70 reports were intended to be relevant only in the context of a company’s internal control over financial reporting (ICFR). Almost 20 years later, the AICPA recognized the need for a framework that would give service providers a way to report on procedures outside of ICFR to their clients, and allow prospective clients to examine the standards and policies of the providers. This need has given rise to the development of a new reporting structure that better aligns with the services provided by Internap and other IT Infrastructure service providers. In April 2010, the ASB issued Statement on Standards for Attestation Engagements No. 16 (SSAE 16), Reporting on Controls at a Service Organization, which replaces SAS 70 guidance.
In June 2011, the new requirements for reporting on controls at all service organizations went into effect. There are now three Service Organization Control (SOC) reporting options: SOC 1, SOC 2 and SOC 3.
- SOC 1 reports, which are governed by the SSAE 16 framework, focus solely on service organization controls that are likely to be relevant to an audit of a user entity’s financial statements.
- SOC 2 reports, which are governed by the AICPA’s Attest Engagements 101 guidance (AT 101), refer to independent reports that address non-financial control objectives (i.e., security, availability, processing integrity, confidentiality and/or privacy).
- SOC 3 reports, also performed under AT 101, are outward-facing versions of SOC 2 reports and are publically available.
Both SOC 1 and SOC 2 reports can be either “Type I” or “Type II”. Type I reports provide a description of procedures and controls that an organization has implemented as of a certain date. Type II reports describe details of how an organization operated their controls over a period of time.
Internap’s SOC 2 Type II Reports
Internap’s SOC 2, Type II Reports not only confirm that Internap’s data center security and operational procedures have been reviewed and tested by an independent certified auditor, but they also validate that our facilities’ controls and processes are designed to safeguard our customers’ equipment and data. While this higher level of reporting isn’t mandatory, Internap is committed to providing a transparent view of our policies and procedures, which we believe to be among the most robust in the industry.