Relationships drive the modern service economy. Years ago the American Institute of Certified Public Accountants (AICPA) recognized that truth and put in place a standard to provide independent, third party assessments to provide assurances of the operational controls in place at service providers. The Statement on Accounting Standards Number 70 (SAS 70) was first standard to guide accounting firms in the execution of these assessments. For several years following its introduction in 1992, “SAS 70 Reports” became an extremely popular tool for organizations to gain confidence in their service supply chain. As interest grew, the AICPA recognized the need to update this standard in 2011 to manage the expanding use of these assessments more effectively. From this realization, the AICPA created a new standard: the Statement on Standards for Attestation Engagements Number 16 (SSAE 16). The product of an SSAE 16 engagement is a Service Organization Control Report (SOC) report. The SSAE 16 standard is still in use today, but not for long. A new standard will force a deeper look at service organizations.
“Change is the only constant in life.” - Heraclitus
Starting in May 2017, assessments will be conducted under the Statement on Standards for Attestation Engagements Number 18 (SSAE 18). Just as it was under SSAE 16, the product of an SSAE 18 assessment is a SOC report. While most of the changes are technical changes to consolidate various assessment programs, some changes will be more noticeable.
Under the new standard, service organizations will be required to have a vendor management program to provide oversight of subservice organizations. Organizations will also be required to document the subservice controls used to support the organization. Service organizations will also be required to have a fully developed risk assessment program and provide a written assertion signed by management.
As the first organization in the industry to successfully complete an assessment under SSAE 16, we have always embraced continuous improvement and will issue future SOC reports under SSAE 18 this year. Our SOC 1, 2, 3 and our HIPAA Security report will all be produced under SSAE 18. Our certifications under ISO 27001, and PCI Data Security Standard will not be impacted by these changes.
Since its inception, we have proactively implemented the necessary safeguards within our data centers to best assist customers in cost effectively meeting regulatory compliance requirements. These safeguards, coupled with our portfolio of services, offer our customers holistic IT solutions.
All compliance reports and documentation are made available to our customers via our portal.