Involta has been helping clients prepare for and complete selected steps of industry compliance audits because they are the same standards to which we are held.
Our facilities and internal control processes are audited against the SSAE-16 standard and have received SOC1 Type II reports.
Some Quick Facts about the different standards:
Replaced the SAS-70 auditing standard that has been in place and used for the data center industry for the last 20 years. SSAE-16 (Statements on Standards for Attestation Engagements No. 16) is the next generation of auditing standards for reporting on controls at service organizations (including data centers) in the United States. SSAE 16 goes beyond SAS 70 by requiring the auditor to obtain a written assertion from management regarding the design and operating effectiveness of the controls being reviewed. SSAE 16 also provides better alignment with the international audit standard ISAE 3402. Under the new AICPA (American Institute of CPA’s) reporting standards, an audit that is conducted under SSAE 16 will result in a Service Organization Control (SOC) 1 report. These reports are still focused on controls relevant to internal control over financial reporting. In essence, a SOC 1 report will be the form of reporting for a completed SSAE 16 audit. As with SAS 70, SOC 1 reports are restricted use reports intended only for existing customers and their auditors, not prospective customers or the general public.
SOC 1 Report :
The direct result of the SSAE-16 audit process. SOC 1 reports will be available as Type I or Type II reports, very similar to the current SAS 70 reporting options. Type I reports present the auditors’ opinion regarding the accuracy and completeness of management’s description of the system or service as well as the suitability of the design of controls as of a specific date. A Type II SOC 1 report includes the Type I criteria AND audits the operating effectiveness of the controls throughout a declared time period, generally between six months and one year. Like SAS 70, there is no official SSAE 16 or SOC 1 “certification.”
SOC 2 & 3 Reports:
SOC 2 reports provide a more stringent auditing standard than SSAE-16. Whereas the SSAE-16/SOC 1 reports basically verify that the data center is following the internal controls as “advertised” to the auditor, the SOC 2 reports provides assurance that the subject data center’s controls adhere to an industry standard as well. These standards are based on the AICPA Trust Services Principles and Criteria. These criteria were developed by AICPA specifically for evaluating data center and service organization controls. The SOC 2 report allows comparison to a benchmark whereas the SOC 1 report just verifies the company has an internal control program and adheres to it. SOC 1 and SOC 2 reports are restricted-use reports intended for existing customers and Internal use only and NOT to be distributed publically or to prospective clients.
SOC 3 reports provide the same level of assurance about controls over security, availability, processing integrity, confidentiality and/or privacy as a SOC 2 report, but the report is intended for general release and does not contain the detailed description of the testing performed by the auditor, but rather, a summary opinion regarding the effectiveness of the controls in place at the data center or service organization.
These audit standards are the new gold-standard for reporting on and verifying internal controls in the service industry. Customers that are obligated to verify control over their own financial reporting and auditing processes (see Sarbane’s-Oxley) are demanding that service providers furnish proof of compliance in their operations so that they in-turn can prove they are in compliance.
Completing the audit process in your business is the next step to broaden your customer base and Involta can help you with that process.
Involta facilities ahere to a host of other compliance standards as well:
PCIDSS (Payment Card Industry Data Security Standard)
Involta partners with retailers, e-tailers, call centers and other credit card transaction processing organizations to meet this exacting set of requirements.
Applicable to all health care organizations and anyone managing the data records (payment processing, data analytics, collections, etc)
US- EU Safe Harbor Program
Standards for the overseas transfer of personal data. US companies that adhere to the Safe Harbor data protection standards, principles and procedures will be deemed to provide an adequate level of protection which satisfies, in UK terms, the requirements of Principle 8. Offers a simpler & more cost effective means of complying with adequacy requirements of EU law, which particularly benefits small and medium sized businesses.
The legislation came into force in 2002 and introduced major changes to the regulation of financial practice,corporate governance and reporting for publicly traded companies.
Japanese government equivalent of Sarbane Oxley