Understanding the SSAE 16 Type II Certification

In mid-2011, the Statements on Standards for Attestation Engagements (SSAE 16) replaced the SAS 70 audit standard for colocation providers in the United States.  This was done primarily to update the reporting standards in the United States to meet international reporting standards (ISAE 3402).  The SSAE 16 standard allows United States colocation providers to compete on an international level, and allows customers to choose an SSAE 16 Type II compliant data center with complete confidence.  Most data center customers have questions about SSAE 16 certification and what it means.  With a greater understanding of this auditing process, its merit becomes clearer.

An Overview of SSAE 16

SSAE 16 applies to companies in the same manner SAS 70 did; however, there are several key changes required to meet international standards.  These key changes are related to management attestation and eliminating allowable evidence from prior audits.

Management Attestation

Under the previous standard, it was the sole responsibility of the auditor to report on controls.  Under SSAE 16, the company must provide management attestations based upon their system of services.  The auditor will then examine the company’s controls and determine if they accurately described within their system.

No More Evidence From Prior Audits

Under SSAE 16, evidence collected during prior audits can no longer be used.  Previously, this was allowed to reduce the length of time it took to become certified.  This change benefits colocation customers because they know all of the information included is up to date and accurate.

The Difference between SSAE 16 Type I and Type II

Like SAS 70, there are two different types of audits available – Type I and Type II.  To become Type I certified, the auditor will write an opinion stating that the colocation data center described its systems accurately and completely within their service agreement.  Type II certification requires everything included in the Type I certification, plus the operational effectiveness of the colocation service provider is audited for a minimum of six months.

Why Customers Care?

It is not always apparent why this certification is important.  There are several different reasons, depending upon the customer’s type of business.

Service Contracts Are Accurate

The primary reason every customer must care about SSAE 16 Type II certification is because of the service contract.  An SSAE 16 Type II certified colocation provider must prove that its service contracts are complete and accurate.  This ensures customers they are not being deceived by the colocation provider, either purposely or inadvertently.

Industry Regulation

Industries with high performance computing needs have stringent requirements tied to their IT controls.  For example, the banking industry has strict privacy and security requirements for online banking to protect private customer information and prevent identity theft.  Customers within heavily regulated industries must be absolutely sure their colocation provider meets or exceeds these regulations.

It is important to keep in mind the substantial difference between Type I and Type II certification.  It may not seem like much at a glance, but the six month verification period is a vital layer of security for customers.  Choosing an SSAE 16 Type II certified colocation service provider ensures the highest levels of transparency and accountability.

Colocation services offer a variety of features and options.  

Author's Bio: Allen Bell writes articles to help elaborate on the different factors that separate world class providers from mediocre ones.  His writings help shed light on the different types of data center certifications and what they really mean.