For the second year in a row Personal Computers, Inc. (PCI) successfully completed Statements on Standards for Attestation Engagements No. 16 (SSAE 16) Type II Service Organization Control (SOC) 1 Report. In previous years, PCI had SAS 70 examinations performed with no exceptions, beginning in 2011 the American Institute of Certified Public Accounts (AICPA) replaced the SAS 70 with the SSAE 16.
An independent service auditor examined the policies, procedures and business processes in place at PCI from January 1- September 30th. The auditors spent a week inspecting our facility, learning about our procedures and interviewing PCI’s Personnel and management.
The following areas related to the services provided in our Data Centers were examined:
- Control Environment: The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal controls, providing discipline and structure
- Physical Security: Control activities provide reasonable assurance that business premises and information systems are protected from unauthorized access, damage and interference.
- Environmental Security: Control activities provide reasonable assurance that critical information technology infrastructure is protected from certain environmental threats.
- Support Availability: Control activities provide reasonable assurance that support is available 7x24x365 and accessible to PCI’s customers.
- Operations: Control activities provide reasonable assurance that the Operations department identifies and resolves problems affecting the facilities or customers in a timely manner.
The examination was performed in accordance with standards established by the American Institute of Certified Public Accountants. Existing PCI Clients can request a copy of the SSAE 16 report by emailing firstname.lastname@example.org.
Why is SSAE 16 important to our clients?
- Having a SSAE 16 report benefits PCI as well as our clients. Many of our clients are organizations who must comply with security requirements such as Sarbanex-Oxley. Those clients can use the report for their specific requirements. Benefits include:
- May satisfy requirements for Sarbanes-Oxley
- Helpful sales tool for our clients to use for their customers
- Useful for start-ups looking for venture capital, which often has security requirements
What is SSAE 16?
In 1992 the AICPA developed a set of guidelines for evaluating service organizations known as SAS 70. The SSAE 16 is an enhancement to the SAS 70 and went into effect in June 2011. The changes made to the standard will bring US companies up to date with new international service organization reporting standards, the ISAE 3402.
A SSAE 16 report, also known as a SOC 1 (Service Organization Control) report, is beneficial to both the service organization and its clients because it demonstrates that the service organization has implemented effective control activities. The SSAE 16 report can aid the service organization’s clients in completing their own financial audits.
In the hosting and colocation industries, the SSAE 16 report is important for companies who are relying more and more on outsourced hosting and colocation services. The SSAE 16 report allows hosters and data centers to complete one report that all of their clients can use.