SSAE 16 FAQ
C7 Data Centers completes an SSAE 16 SOC1 Type II audit for each of its data centers annually. This SSAE 16 audit supersedes the prior SAS 70 Type 2 audit.
C7 Data Centers, Inc. understands the importance of ensuring the utmost transparency in
internal controls and procedures. We want our customers to know they can trust C7 to
provide data center facilities and services that meet the strictest control standards and
industry best practices.
What is SSAE 16?
Effective for audit periods ending June 15, 2011 or thereafter, the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) is a new standard created by the American
Institute of Certified Public Accountants (AICPA). The replacement of SAS 70 with SSAE 16 represents the first significant modification to the AICPA standards for reporting on controls at a service organization since SAS 70 was issued in 1992. As organizations became
increasingly concerned about risks beyond financial reporting, SAS 70 often was misused as a means to obtain assurance regarding compliance and operations. SSAE 16 and its
international counterpart, ISAE 3402, were drafted to correct these misuses.
How are SSAE 16 and SAS 70 different?
The SSAE 16 SOC 1 report and the SAS 70 Type 1 report are similarly focused in content, but the SSAE 16 SOC 1 report includes an assertion by management for the system description and related control objectives.
What are the Service Organization Control (SOC) reports?
SOC1 is a report on financial controls. It details risks and internal controls relevant to financial reporting of the user organization.
SOC2 is a report on Trust Principles criteria related to security, availability,
confidentiality, processing integrity and privacy. This report details internal control measures for a defined set of criteria relevant to IT service providers such as colocation,
cloud computing and hosting providers.
SOC3 is also a report on the same criteria as specified in SOC2, but the report is intended for general distribution. This report provides a description of the company’s internal control
system and the “Independent Practitioner’s Trust Services Report.” A SOC 3 seal, which may be linked to the company’s website, is issued after the successful completion of the SOC 3
Describe SSAE 16 Type 1 and Type 2 reports
The SSAE 16 Type 1 report documents the auditors’ opinion regarding the accuracy,
completeness and suitability of the design of internal controls as of a set date. The SSAE 16 Type 2 report audits the implementation of the SSAE 16 Type 1 report over a set period of time, typically 6 months to a year and requires sample testing of each control for operating
effectiveness during the specified period.
Is C7 Data Centers, Inc. SSAE 16 compliant?
C7 Data Centers completes an SSAE 16 SOC1 Type II audit for each of its data centers annually. In accordance with AICPA guidance, there is no such designation as “SSAE 16 Compliant“.