SSAE 16 is an attestation standard issued by the American Institute of Certified Public Accountants that reports on CoreSite controls supporting the services provided to customers. CoreSite management developed internal control objectives to support first-class data center management services that were used to complete the audit. Companies that are compliance sensitive and may require SSAE 16 compliance include publicly traded enterprises, financial firms, and healthcare organizations. The SSAE 16 audit report includes management's description of CoreSite's systems and the suitability of the design and operating effectiveness of the controls. Further, the report contains a written assertion from management regarding the systems and a services auditor's opinion letter.
SSAE 16 is designed to provide CoreSite data center customers with a level of assurance of corporate controls and will replace existing SAS 70 Type 1 and Type 2 audit reports. BrightLine, a licensed CPA firm, conducted the CoreSite SSAE 16 audit over the twelve-month period ending June 30, 2012.
Similarities Between SSAE 16 and SAS 70 Audits There are many similarities between a SAS 70 and SSAE 16. The scope will still focus on controls relevant to user entities internal controls over financial reporting and other subject matter will continue to be performed under AT Section 101. The service auditor will still issue a Type I or Type II report and continue to be restrictive in nature. A Type I report addresses the design of the controls while a Type II report addresses both the design and operating effectiveness. As before, management can either include related subservice organization controls using the inclusion method or exclude subservice provider controls via the carve-out method.
There are also key changes that will be incorporated in SSAE 16. The new standard is an attest standard and not an audit standard. The new attest standard will require management to provide the service auditor a written assertion about the fair presentation of the description of the service organization's system, the suitability of the design of the controls and, in the case of a Type II report, the operation effectiveness of the control. Management's written assertion would accompany the description of the service organization's system. If the inclusion method is used, the subservice organization must also provide a written assertion.
Under SSAE 16, the auditor must disclose when Internal Audit work has been used to form the service auditor's opinion. The documentation of the use of Internal Audit's test steps and results can be inserted in the Test of Controls section of the report. The auditor should not reference the work of Internal Audit in the opinion section since Internal Audit is not an independent of the service organization. As it relates to a Type II report, the description of the service organization's system and the service auditor's opinion on the description will cover a period, which will be the same as the period covered by the service auditor's tests of the operating effectiveness of controls. In the SAS 70, the description of the service organization's system in a Type II report was as of a specified date, rather than a period of time.
SSAE 16 Audit Report | Easy Compliance for Highly Regulated Customers CoreSite customers conduct business in highly regulated industries and practices such as financial services, healthcare, Government, legal, biosciences, cloud computing, and numerous others.
These customers require thorough documentation from the vendors they conduct business with, especially those involved with the storage and transmission of sensitive data. The SSAE 16 Type 2 audit report can be emailed to customers to help streamline this regulatory process. Customer accounting and compliance personnel can then take the PDF file and match the report to their own documentation process with relative ease.
CoreSite provides PDF copies for all customers upon request. CoreSite engaged in SSAE 16 audits in support of its 700+ customers across the country. Any CoreSite customer may request a copy of the company's SSAE 16 audit report by written request to Info@CoreSite.com.
All written requests should include the names and company of the individuals processing the document, the CoreSite data center/s they are currently deployed in, the emails the individuals would like the PDF sent to, and the purpose of the request.