SAS 70 Changes to New Auditing Standard
For years, you may have heard Internap or other providers refer to something called “SAS 70.” While it may sound like a flight number or a road race, SAS 70 is actually an auditing standard designed to provide assurance to customers who use service providers for tasks that impact bottom-line financials. Introduced in 1992, SAS 70 was originally written as a financial auditing framework to verify that service providers followed adequate controls and processes, thereby minimizing risk to the client company.
New Service Organization Control (SOC) Reports
Over the years, SAS 70 has been applied to numerous business areas outside of the financial services industry including data centers and managed hosting services, where the service provider did not have a direct financial impact. The Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) recognized the need for a framework that would provide non-financial service providers a way to report on controls to their clients, which has given rise to the development of a new reporting structure that better aligns with the services provided by Internap and other IT infrastructure service providers.
Last year, the AICPA announced new requirements for reporting on controls at all service organizations, replacing the SAS 70 Standard. These are contained within three Service Organization Control (SOC) reporting options — SOC 1, SOC 2 and SOC 3 — which are performed in accordance with either Statement on Standards for Attestation Engagements (“SSAE”) 16, or AT Section 101, Attest Engagements, of the AICPA Attest guidance utilizing the Trust Services Criteria. The SOC reporting structure officially went into effect June 15, 2011, and any reports issued after this date must be under the new guidance.
- SOC 1 reports, which are governed by the SSAE 16 framework, focus solely on service organization controls that are likely to be relevant to an audit of a user entity’s financial statements.
- SOC 2 and SOC 3 reports, which are governed by the AT 101 framework, address controls at the service organization related to non-financial objectives (i.e. security, availability, processing integrity, confidentiality and/or privacy).
What this means
Internap evaluated the new standards and reporting structure in consultation with our independent auditor for the transition from SAS 70 to the SOC reporting structure. We determined that our data center operations are governed by the AT 101 framework, addressing controls for the service organization related to non-financial objectives. Therefore, we have made the transition to issuing a SOC 2 report utilizing the Trust Services Principals, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Technical Practice Aids). Internap and our independent auditor determined the Availability principal most closely aligns with our data center operations as it includes system availability, physical security and environmental control criteria.
By meeting the criteria set forth in the Trust Services Availability Principle, the SOC 2, Type II Report confirms that Internap’s data center security and operational procedures have been reviewed and tested by an independent certified auditor and validates that controls and processes are suitably designed and operate effectively to protect and safeguard customers’ equipment and data. Internap’s SOC 2 reports issued in December 2011 are among the first known reports issued in the industry. Internap will continue to perform SOC 2 audits on an annual basis.