Irregardless, Begs the Question, and SSAE 16 Certified

These are words that resemble the sound of nails scratching a chalkboard to me.  "Irregardless" is not a word, and is not a substitute for irrespective or regardless.  "Begging the question" is a logical fallacy, not a substitute for "...which raises the question...", and there is no such thing as an "SSAE 16 certification".

For the past two years, I have supported the AICPA's efforts to correct the misuse of SAS 70 by replacing it with SOC reports, yet day after day I read press releases and blog posts by companies claiming that their SSAE 16 certification proves that their services are secure and available.

I think I may have finally begun to realize the futility of it all though.  We used to say, "Ain't ain't a word, because it ain't in the dictionary", but that's not the case anymore.  It's there!  It has just been labeled "non-standard."  Just as widespread use of "ain't" and irregardless have led to them being added to the dictionary, maybe it's time to just label the misuse of SSAE 16 reports as "non-standard" and let it go.

What about serving the public interest though?  The Code of Professional Conduct says: A distinguishing mark of a profession is acceptance of its responsibility to the public (Rule 201 Section ET 53 – Article II – The Public Interest).  What about the customer of an outsourcing vendor who sees a fake SSAE 16 logo, reads that the company they are doing business with has been "SSAE 16 certified", and proceeds to place reliance on a report that the AICPA says is not designed to provide assurance regarding security or availability?  If the CPA firm who issued the SSAE 16 report does not disassociate themselves from such a company, and if the AICPA does not hold them accountable for doing so, then has the public interest been served?

Calling the report a certification is only part of the problem though.  This slide from an AICPA presentation (that you can download by clicking on it), says that SAS 70 reports contained controls related to subject matter other than internal control over financial reporting (ICFR).  That problem persists today...two years after SOC reports replaced SAS 70.

We cannot really blame service organizations or their customers for thinking a report containing environmental and operational controls, tested by an independent CPA firm, provides assurance about the security and availability of their services though can we?  After all, what's wrong with relying on my data center's SSAE 16 report if I need to know that they have a diesel generator for backing up commercial power in case there is a power outage, and the report includes that testing?  The same thing goes for having UPS units, fire extinguishers, raised flooring, etc.

The problem is that these things have nothing to do with my data center's role in assuring the accuracy of my financial statements, and they are not supposed to be included in the report.  To comply with their professional standards, every CPA must require their clients to remove non-ICFR controls.  Yet two years after the launch of SOC reports, every SSAE 16 report I have seen contains non-ICFR controls, and the auditor has issued an opinion as to their effectiveness.  I have seen guidance from CPA firms that list removal of these kinds of controls as optional, and have clients who tell me their CPA firm has never even mentioned the need for a re-evaluation of their controls for ICFR applicability.

At the risk of sounding like the annoying guy who corrects people's use of the word irregardless, I will say the following:


  • If you are a company relying on service providers, and your service provider gives you their SSAE 16 report as assurance that their services are secure and available, demand a SOC 2 report, or walk away.  
  • If you are a service provider, and your CPA firm has not walked you through re-evaluation of your controls for ICFR applicability, contact me, or a CPA firm that will help you through that process.  
  • If you are a CPA firm who has clients who still want to include blatantly non-ICFR controls in their SSAE 16 reports, then have the courage to say you will not opine on them this year, and that they must be moved to the other information section.

Let us all do our part to stop the misuse of SSAE 16 reports.


Thank you for the endorsement French.  It is indeed an honor to have the ear of the Gartner Risk Management analyst who first reported SAS70 abuse in 2010.

22 comments:

  1. Thanks for sharing this valuable post to my knowledge; SAS has great scope in IT industry. It’s an application suite that can change, manage & retrieve data from the variety of origin & perform statistical analytic on it.
    Regards,
    sas training in Chennai

    ReplyDelete
  2. This is really a great post. Thank you for taking time to provide us some of the useful and exclusive information with us. Keep on blogging!!

    SAS Training in Chennai

    ReplyDelete
  3. You have shared a new information.I gathered knowledge about this topic so please update more.
    Thanks,
    SAS Course in Chennai

    ReplyDelete
  4. This sort of article is fascinating and enjoyable to peruse. I cherish perusing and I am continually hunting down useful data like this.

    ReplyDelete
  5. Interesting and worth able content.It is really useful.Keep sharing more with efficient news like this.
    Bigdata Training Chennai | Hadoop Training in Chennai

    ReplyDelete
  6. A debt of gratitude is in order for the enlightening article. This is one of the best assets I have found in a long while. Pleasantly composed and incredible data. I truly can't thank you enough to share.
    ccna Training in Chennai | ccna institutes in Velachery | ccna Training institutes in Velachery

    ReplyDelete
  7. I wanted to thank you for this good read. I definitely enjoying every little bit of it I have you bookmarked to check out new stuff you post. visit website

    ReplyDelete
  8. Great article. I learned lot of things. Thanks for sharing.

    web design training institute in Chennai

    ReplyDelete
  9. The strategy you have posted on this technology helped me to get into the next level and had lot of information in it. The angular js programming language is very popular which are most widely used.
    Angularjs Training in Chennai | Angularjs training Chennai

    ReplyDelete
  10. This substance makes another trust and motivation within me. A debt of gratitude is in order for sharing article this way. The way you have expressed everything above is entirely amazing. Continue blogging this way.
    DOTNET Training in Chennai | DOTNET course in Chennai | DOTNET Training Institute in Chennai

    ReplyDelete
  11. Excellent post!!!. The strategy you have posted on this technology helped me to get into the next level and had lot of information in it.
    salesforce training in chennai | salesforce training institute in chennai

    ReplyDelete
  12. This data is great and amazing. A debt of gratitude is in order for taking an ideal opportunity to talk about this, I feel upbeat about it and I adore adapting more about this theme. I utilize your manual for teach my understudies.
    Regards,
    SAS Training in Chennai | SAS Training Institute in Chennai | SAS Training Chennai

    ReplyDelete
  13. It's really a good topic to post articles, you explained well about the necessity of network virtualization :)
    DOT NET Training in Chennai|DOT NET Training Institutes in Chennai

    ReplyDelete
  14. Informative and interesting which we share with you so i think so it is very useful and knowledgeable. I would like to thank you for the efforts. like this

    ReplyDelete
  15. Useful post.Thanks fro taking time to share this post.Continue sharing more like this.
    Regards,
    SAS Training in Chennai | SAS courses in Velachery | SAS Institutes in Velachery

    ReplyDelete
  16. Just tripped into this and thought of sharing this analogy...
    I have seen SOC1/ISAE3402 reports saying that the audit used "selected controls from [insert security standard here]". It makes me wonder about why the vendor didn't select all of them??

    A bit like saying that your spouse is faithful "on selected occasions"... Not very reassuring, is it?

    ReplyDelete
  17. Really Nice Blog. Thank you for Sharing. We are the best erp software providers in chennai. For more details call +91 9677025199 or email us on info@bravetechnologies.in ERP in Chennai | ERP Providers in Chennai

    ReplyDelete
  18. The best thing is that your blog really informative thanks for your great information!
    erp providers in chennai

    ReplyDelete
  19. Thanks for your informative blog!!! Keep on updating your with such awesome information.

    SAS Online Training |
    Tableau Online Training|
    R Programming Online Training|

    ReplyDelete
  20. Thank you for your post. This is excellent information. It is amazing and wonderful to visit your site.
    Six Sigma Certification Training in Chennai | Six Sigma Exam Center in Chennai | Six Sigma Green Belt Training in Chennai

    ReplyDelete