What Magneto's Helmet and Non-ICFR SSAE 16 Controls have in Common

Both are designed to mitigate unlikely risks.  For anyone who may not know, Magneto's nemesis, Professor X, has the ability to read minds, and in order to protect his thoughts from being intercepted, Magneto wears a helmet made of lead.  Magneto and Professor X are not real, and neither is the ability to read minds, but judging by many of the controls I see in SSAE 16 reports that are supposed to contain only controls that mitigate the risk of material financial misstatement, I would not be surprised to see a control such as "We use lead-lined drywall in our offices to prevent psychics from seeing us enter our passwords."

Recently I have had opportunities to observe several auditors defend why they believe the controls contained in their client's SSAE 16 reports are relevant to internal controls over financial reporting (ICFR).  The auditors argue that the risk events the controls mitigate are "possible."  I have had to explain, to seasoned auditors in some cases, that just because a risk event is possible, does not mean it is reasonable to conclude a control is ICFR relevant.  I mean, sure, some people believe in psychics, and there is probably anecdotal evidence out there that password sniffing via psychic is "possible," but is jumping from there to a control requirement for lead-lined drywall reasonable?  Of course not.  It is equally unreasonable to say that having fire suppression in your data center will prevent you from materially misstating your financials.

Do we really need to explain that physical security, environmental, and operational controls do not belong in SSAE 16 reports, or is there something more sinister going on?  Why haven't auditors required their clients to remove non-ICFR controls from their SSAE 16 reports as the standard requires for the past two years since the launch of SOC reports?  Could it be that the number of controls that require testing in an audit program directly relate to the audit fees that are justified?  

I remember that in years three or four of Sarbanes Oxley compliance my clients would start "control rationalization exercises" where they would evaluate the risk of a control, in order to justify its removal from the external auditor's scope.  It was easy for management to calculate the value of performing this exercise...total audit fees, divided by the number of controls, equals audit fee per control.  It stood to reason that the more controls you could "rationalize", the lower the audit fee should be.

I believe that most auditors know that it is unreasonable to include physical security, environmental, and operational controls in SSAE 16 reports, but they are unwilling to do anything about it until their clients sign up for SOC 2 engagements.  As long as clients do that, audit fees will increase rather than decrease.  How short sighted is that though?  Requiring clients to remove non-ICFR controls would have created an assurance vacuum that SOC 2 was designed to fill.  As it stands now, auditors who issued non-compliant SSAE 16 reports have a credibility problem.

If you are hearing about SOC 2 for the first time, and are looking to engage an auditor, you should ask to see some of their SSAE 16 work before making that decision.  For more information on how to distinguish between ICFR and non-ICFR controls, please refer to my whitepaper on the subject here.  If you are considering a report other than SOC 2 for assurance pertaining to security, availability, and/or confidentiality, please read my posts on why SOC 2 is a superior report to all others below:  

SOC 2 is being Ignored by the Data Center Industry

On the anniversary of SOC report launch,  of Reckenen Accountants & Associates published the following results of their survey of data centers in the U.S.  The results clearly indicate the market's response to the AICPA's attempt to correct the misuse of SAS 70 that was so pervasive in the industry before SSAE 16, and that continues under the new attestation standard.

With the rejection of SOC 2, the data center industry is telling the AICPA, we hear you, but we are not interested.  Our customers are not asking for SOC 2 because our SOC 1 (SSAE 16) reports contain the information they are looking for with regard to the security, availability, processing integrity, confidentiality, and privacy of the services we provide them.

Until the AICPA gets tough on CPAs that are issuing opinions under the SSAE 16 attestation standard on engagements that include testing of controls that are not relevant to internal controls over financial reporting (non-ICFR controls), there will not be a significant change in this reality.  Two years after the launch of SOC reports, the data center industry is ignoring SOC 2.

Celebrating SOC’s 2nd Birthday (Infographic) - An Infographic from SOC Audit Examinations & Outsourced Accounting for Private Companies