Well said DaCurryman! Data centers have adopted SAS 70 and SSAE 16 as a certification of good security and availability practices, however, that was never the intent. The reason we had "SAS 70 Certified" data centers and we now have "SSAE 16 Certified" data centers is because the customer is always right. The chain of demand for SAS 70 began with financial statement auditors that needed a vehicle to understand the controls at service organizations. Sarbanes Oxley fundamentally changed the requirements for financial statement audits. The auditors now had to have an understanding of the controls that were in place over financial reporting. That included IT general controls like physical and environmental controls that most data centers provide. Rather than send a team of auditors to examine the physical and environmental controls at a third party data center, the audit firm asked the data center to provide a SAS 70 report. Pretty soon, the marketing people said "Hey, we can get more customers if we say we are "SAS 70 Certified" and since SSAE 16 was officially introduced as the replacement for SAS 70, you now have those same marketing people claiming SSAE 16 Certified.

SAS 70 is a great, but ultimately obsolete audit standard. It is NOT a data center security and availability standard. Again, SAS 70 and the new SOC standards are attestation standards. That is, the standard is about how to conduct the review, NOT what should be in place at the data center. This is totally different than ISO and other "certification" bodies. The AICPA is not a certification body. I believe what you intended is that SAS 70 is a worthless vehicle for certifying the security and availability controls of a given data center. And you would be correct. For that was never the intention of SAS 70 and is STILL not the intention of SSAE 16 (SOC 1).

Actually, the service organization is only supposed to release the SAS 70 report (and the newer SSAE 16, SOC 1) to existing customers and their auditors. It is not a "general release" report and should not be used for marketing purposes. This language is in the SSAE 16 standard and should be in the engagement letter with the CPA firm that conducts the attestation.

DaCurryman has it right. SAS 70 (dead) and the new standards (SOC 1, SOC 2, SOC 3) are not certifications. SOC 1 (SSAE 16) is not intended to provide assurance over security. It is intended to provide financial statement auditors (not management of prospective customers) with an understanding of controls in place at a service organization that impact the financial reporting of their audit clients (the data center customers). None of the AICPA "standards" have anything to do with the "lofty operational standards" mentioned in the original post of this thread. The AICPA standards are standards for conducting the attestations, NOT standards for data center security and operations. If your intended audience is management of existing customers and of prospective customers, then SOC 2 and SOC 3 are infinitely better attestations (NOT CERTIFICATIONS!!!) to request. Many data centers are helpless at this point because existing customers all want SSAE 16 reports. They don't understand why, they just know that their auditors will ask for the report during the next audit cycle just like they asked for a SAS 70 report in years past. It is up to those on this board to educate your management and your customers about the differences and ensure you provide your customers with the correct report.