How many times have you asked your service provider to give you a copy of their latest SAS70 Type II audit? We wouldn't be doing our job if we didn't look for a clean SAS70 audit report.
As we become more global, and work with international service providers, perhaps we need to stop asking for the SAS70 and start asking for a copy of the SSAE 16 (SOC 1) audit report. You familiar with this report? This became effective as of June 15, 2011.
Here is a great website to take a look at and study. http://www.ssae-16.com/ssae-16-type-ii/ . Really pay attention to who needs this report. Data center and co-location customers - pay attention, this report is essential for you to get from your provider.
There are 3 types for the SOC Report:
SOC 1 Report - The SOC 1 Report is a report on controls at a service organization relevant to user entities' internal control over financial reporting.
SOC 2 Report - The SOC 2 Report is a report on controls at a service organization relevant to non-financial controls.
SOC 3 Report - Similiar to a SOC 2 Report, a SOC 3 Report is a report on controls at a service organization relevant to non-financial controls.
SSAE 16 is an improvement to the current standard for Reporting on Controls at a Service Organization, the SAS70, with some changes that will help bring your service provider company and the rest of the provider companies in the US up to date with new international service organization reporting standards, ISAE 3402. What I like is the improved clarity and risk assertion, and documentation.
One recommendation, it can be overwhelming. Make sure if you are undertaking doing these type of audits as a service provider, that you have a real business case to do it. Are your customers demanding it? Do you have public companies that require it? It takes a long time, great effort, and expense to complete these type of reports.
So as a customer, asking for these types of reports from my service provider, should I pay to receive this audit report? Would that help offset the cost(s) or is it the cost of doing business?
I know as a CIO, responsible for my company data, applications, and services being provided by a 3rd party - I would demand seeing a clean report.
Take the time to read up on the SSAE 16 reports. I think you will be pleased with the reports.
Keep it positive!
Scott Arnett
scott.arnett@charter.net
About Me
- Scott Arnett
- Scott Arnett is an Information Technology & Security Professional Executive with over 30 years experience in IT. Scott has worked in various industries such as health care, insurance, manufacturing, broadcast, printing, and consulting and in enterprises ranging in size from $50M to $20B in revenue. Scott’s experience encompasses the following areas of specialization: Leadership, Strategy, Architecture, Business Partnership & Acumen, Process Management, Infrastructure and Security. With his broad understanding of technology and his ability to communicate successfully with both Executives and Technical Specialists, Scott has been consistently recognized as someone who not only can "Connect the Dots", but who can also create a workable solution. Scott is equally comfortable playing technical, project management/leadership and organizational leadership roles through experience gained throughout his career. Scott has previously acted in the role of CIO, CTO, and VP of IT, successfully built 9 data centers across the country, and is expert in understanding ITIL, PCI Compliance, SOX, HIPAA, FERPA, FRCP and COBIT.
No comments:
Post a Comment