For over a decade SAS-70 Type II audits have been a key requirement for all organizations who outsource their data center operations to a colocation facility.  This year The American Institute of CPA's replaced SAS-70 with a new auditing standard, SSAE 16.  This new standard is similar to SAS-70 but has a few different components.  The following article by Mark Eich at LarsonAllen LLP does a nice job of describing the changes.

The Transition From SAS 70 to SSAE 16

For example, service auditors will have to determine the suitability of control design throughout the entire reporting period—not just near the end. This means all material control remediation needs to be completed before the reporting period begins.

This change, intended to provide user organizations and their auditors improved assurance about the reliability of controls throughout the reporting period, affects when you engage or change your service auditor.

“The SSAE 16 report will give a more holistic view of how providers are managing their internal controls,” says Mark Eich, principal-in-charge of information security with LarsonAllen.

The change will be required for all service organization control reports with periods ending June 15, 2011, or later, although earlier adoption is permitted.

The overall impact on service organizations

Under SSAE 16, policies, procedures, and practices need to be formally documented and planned in advance of the reporting period. SSAE 16 will also require service organizations to provide a documented formal risk assessment.

“As auditors, we’re still waiting to see the details behind the risk assessment documentation, says Eich. “Practitioners and service providers will be watching for additional guidance in the next three to five months.”

Significant changes under SSAE 16

• Service organization management must provide an assertion on the design and effectiveness of its internal controls (similar to the assertion provided in audit engagements under Sarbanes-Oxley).
• Management must perform due diligence in making this assertion.
• The report must provide a description of the service organization’s “system” which is an expansion of the SAS 70 requirement to describe “controls.”
• Management must perform a documented risk assessment that identifies potential threats that the control objectives within the system will not meet.
• Management must document its system and processes.
• Any use of an internal auditor’s work must be disclosed within the body of the report.
• The auditor’s opinion about the design, suitability, and effectiveness of controls must span the entire period covered by the report.

Elements of SAS 70 remain the same

• Although found in the attestation standards (versus the auditing standards), a SSAE 16 engagement still carries an opinion signed by a CPA.
• SSAE 16 reports are still designed to be used as auditor to auditor communication.
• The concept of the SAS 70 Type I versus Type II report is unchanged.
• The concept of control objectives supported by control activities remains the same, although the requirement expands the idea to more holistically describe the “system.”
• The service organization may still provide other information (such as a description of a disaster recovery or business continuity plan).
• The treatment of subservice organizations remains largely unchanged (most service organizations will likely choose the “carve out” method).