Why SSAE Compliant Hosting

Posted by & filed under List Posts.

Accounting and information technology (IT) are very much connected; and the creation of financial statements must be founded on the principles of reliability and accuracy. After all, what good are numbers that do not reflect the real situation? Furthermore, when money is involved, the potential for fraud will naturally be high.

 

While it may seem to an outside industry that accounting is as simple as adding up the numbers, “garbage” data can easily have a presence on financial statements, according to Michael Sack Elmaleh, CPA, CVA (certified public accountant / certified valuation analyst).

 

The reason that financial records can often be poor is that it is not easy to see inaccuracies just by looking at reports. It could be that nothing seems problematic about the figures but that some of them are simply false.

 

The two primary reasons that inaccuracies arise, notes Elmeleh, are intentional deception and lack of proper accounting skills. Both of these issues can be addressed in the same manner, via the following two methods:

 

  • Partner with an outside accountant to perform regular audits of financial reports. The third-party accountant can check to make sure that the numbers are aligned with generally accepted accounting principles (GAAP) throughout the statements.
  • Establish sufficient controls within the organization. The controls are policies and procedures that are used to protect against fraud; make certain that statements are accurate; and properly protect all data and systems.

 

Both of these practices should be in place at organizations. Audits should be conducted regularly, and strong controls should be in place and monitored for their consistent application.

 

The Statement on Standards for Attestation Engagements becomes immediately relevant in the context of the above two practices. SSAE 16 (which has now been recodified as SSAE 18) was actually called “Reporting on Controls at a Service Organization; while SSAE 18, issued in April 2016, is called “Attestation Standards: Clarification and Recodification.”

 

” It is essentially a set of instructions or standards to be used by auditors when they are creating reports on internal controls relevant to creation of financial statements. As such, the SSAE 16 or SSAE 18 process both brings in an outside entity to verify that appropriate controls are in place (the audit, #1 above), and recommends any controls that are not present and should be (application of controls, #2 above).

 

What is the AICPA?

 

To understand the Statement on Standards for Attestation Engagements is to understand the American Institute of CPAs (AICPA), the organization that created and develops the standard.

 

The AICPA was founded in 1887. It is the largest professional association for accountants, with 143 nations and over 418,000 members represented.

 

The group develops ethical guidelines for CPAs, as well as auditing protocols to be followed by public agencies, private firms, and nonprofits. The association develops, maintains, and scores the Uniform CPA Examination, which must be passed in order to become a CPA.

 

SSAE compliance as critical to IT

 

Actually, a prominent accountant and compliance specialist, Chris Schellman of BrightLine (now Schellman), wrote a great piece a few years ago on SSAE 16 and why it is a specifically important standard for data centers.

 

Schellman explained that the standard simply should be in place in order for a facility to be treating its customers’ data with respect. The compliance standard was created, after all (according to the AICPA), to study the controls that are established at providers that offer services to customers “when those controls are likely to be relevant to user entities’ internal control over financial reporting.”

 

In other words, basically any business that sells services (as opposed to products) online, such as a hosting service, should have a SSAE 16 audit performed.

 

Schellman explained that managed service providers, colocation facilities, and data centers that operate computing systems containing data relevant to financial statements must place reasonable controls within the system – for environmental and physical security. (It is necessary for the company to properly protect its hardware from theft or damage, for instance.) Since a responsible organization places best-in-class standardized controls on its information technology, it is only natural that a data center should have this form of compliance.

 

A data center may think that SSAE 16 or SSAE 18 is not important to them. The fact is that the American Institute of CPAs has a compelling position as a professional association of certified public accountants – an association that claims integrity as one of its values, with the statement, “We are committed to upholding the highest ethical standards to maintain trust and credibility with colleagues, members and the public.”

 

Not all are sold on SSAE standards

 

There are some in IT who are less convinced of the across-the-board value of SSAE certification or compliance. It is seen as too baseline a set of standards. It is understood as a marketing gimmick. “Determining if SSAE certification or auditing is right for your data center depends on your clientele and whether you want to expand that clientele by demonstrating certain safeguards for customers,” noted Jeff Clark in Data Center Journal.

 

Clark added that there is very little easily digestible information online about various forms of regulatory or third-party industry compliance. It’s very dense. Well, compliance and standards are necessarily dense. It’s technical writing in a style, meter, and tone that is similar to law. Clark hinted toward the complexity of assessing organizations for compliance: one of the most obvious ways to decide if you care about this credential or body of knowledge is to go directly to the standard’s developer: “[C]onsult the AIPCA (American Institute of Certified Public Accountants) Statements on Standards for Attestation Engagements—already a mouthful,” he said, “to find the relevant section on SSAE16: Reporting on Controls at a Service Organization.”

 

In defense of SSAE compliance

 

Since Clark gave the standard a bit of a beating, it is worth noting that the length of the nomenclature or terminology surrounding a body of knowledge is not necessarily a good indicator of whether the set of guidelines within it have value, integrity, veracity, etc. In fact, seeing Statement on Standards of Attestation Engagements is comforting to some, since it is dryly descriptive and logical, which is what many want from compliance mechanisms based on libraries of collaboratively understood generally accepted accounting practices (GAAP).

 

The SSAE standard is a rigorously created set of controls that allows accountants to be able to say that they believe financial data is safe. Then again, maybe we are biased, since we are SSAE 16 certified and SSAE 18 / AU 324 compliant; with HIPAA & HITECH / GDPR / FISMA / PCI compliant systems available, based on extensive engineering experience. See our data security commitment.