What is SSAE 16?

The Statement on Standards for Attestation Engagements No. 16 (SSAE 16) is a set of standards developed specifically for certified public accountants (CPAs) to evaluate an entity’s internal controls and the impact a service organization may have on the entity’s control environment. This is particularly important as auditors attempt to accurately audit a company’s financial statements.

The SSAE 16 standards were put in place by the American Institute for Certified Public Accounts (AICPA) and serve as the authoritative guide for in-depth audits of a third-party service organization such as 365 Data Centers. SSAE 16 is a relatively new set of standards published in April 2010 to supersede the SAS 70, the original guidelines for performing an examination of a service organization’s controls and processes.

Businesses rely on SSAE 16 and SOC 2 audits and reports to build trust and confidence in their service provider’s ability to design, operate and control environments on which their business depends. Additionally, SSAE 16 and SOC 2 audits may assist an entity in complying with the Sarbanes-Oxley act or similar law or regulation.

What are SOC reports?

Service Organization Controls (SOC) Reports are prepared by an auditor in accordance with AICPA standards and are specifically intended to evaluate a service organizations controls. There are three SOC reports:

  • SSAE 16 SOC 1:: Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (commonly referred to as SSAE 16) and based on SSAE 16 standards.
    • Type 1: report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description throughout a specified period.
    • Type 2: report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.
  • SOC 2: Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy based on AICPA SOC 2 standards.
  • SOC 3: Trust Services Report for Service Organizations.

Use of these reports is typically restricted to the management of the service organization, user entities, and user auditors.

Are 365 Data Centers colocation facilities SSAE 16 and SOC 2 compliant?

Yes, 365 Data Centers has been audited by a third-party auditor and found to be compliant with the SSAE 16 and SOC 2 standards. We have an SSAE 16 SOC 1 Type 2 report and an SOC 2 Type 2 report that outline the findings of the audit.

A-Lign performed the audit of our Colocation Services for SSAE 16 SOC 1 Type 2 and SOC 2 Type 2 at 100% of its colocation facilities. They conducted their examination in accordance with the attestation standards established by the American Institute of Certified Public Accountants to assess the suitability of the design and operating effectiveness of controls to achieve the related control objectives identified.

365 received an SSAE 16 SOC 1 Type 2 and SOC 2 Type 2 unqualified audit opinion delivered with no exceptions.

The scope of the assessment included 365 Data Centers’ colocation facilities in: Buffalo, NY; Chicago, IL; Cleveland, OH; Detroit, MI; Emeryville, CA; Indianapolis, IN; Nashville, TN; New York, NY; Philadelphia, PA; Phoenix, AZ; Pittsburgh, PA; Reston, VA; San Jose, CA; Seattle, WA; St. Louis, MO; and Tampa, FL.

How do SSAE 16 and SOC 2 certifications benefit your business?

Going through SSAE 16 and SOC 2 audits is a rigorous process. Only service organizations that have designed and implemented their controls and processes well and demonstrated operational effectiveness receive an unqualified audit opinion. Such audits are time-consuming and costly.

Businesses that use service organizations that have been audited for SSAE 16 and SOC 2 compliance should have a higher level of trust and confidence in that organizations controls and operational capabilities. Additionally, entity’s that are being audited themselves for SSAE 16, SOC 2, Sarbanes-Oxley compliance or similar law or regulation will find it easier to comply with requirements when using an SSAE 16 and SOC 2-audited service organization. This will speed compliance and reduce the cost of compliance.

Are 365 Data Centers’ SSAE 16 and SOC 2 audit reports available to review?

Yes, 365 Data Center’s SSAE 16 and SOC 2 audit reports are available to customers and qualified prospective customers and partners upon request. Please contact us for more information or to request a copy of our audit reports.

View our News Release

View our Confirmation of SSAE 16 and SOC 2 Audit Opinions