Irregardless, Begs the Question, and SSAE 16 Certified

These are words that resemble the sound of nails scratching a chalkboard to me.  "Irregardless" is not a word, and is not a substitute for irrespective or regardless.  "Begging the question" is a logical fallacy, not a substitute for "...which raises the question...", and there is no such thing as an "SSAE 16 certification".

For the past two years, I have supported the AICPA's efforts to correct the misuse of SAS 70 by replacing it with SOC reports, yet day after day I read press releases and blog posts by companies claiming that their SSAE 16 certification proves that their services are secure and available.

I think I may have finally begun to realize the futility of it all though.  We used to say, "Ain't ain't a word, because it ain't in the dictionary", but that's not the case anymore.  It's there!  It has just been labeled "non-standard."  Just as widespread use of "ain't" and irregardless have led to them being added to the dictionary, maybe it's time to just label the misuse of SSAE 16 reports as "non-standard" and let it go.

What about serving the public interest though?  The Code of Professional Conduct says: A distinguishing mark of a profession is acceptance of its responsibility to the public (Rule 201 Section ET 53 – Article II – The Public Interest).  What about the customer of an outsourcing vendor who sees a fake SSAE 16 logo, reads that the company they are doing business with has been "SSAE 16 certified", and proceeds to place reliance on a report that the AICPA says is not designed to provide assurance regarding security or availability?  If the CPA firm who issued the SSAE 16 report does not disassociate themselves from such a company, and if the AICPA does not hold them accountable for doing so, then has the public interest been served?

Calling the report a certification is only part of the problem though.  This slide from an AICPA presentation (that you can download by clicking on it), says that SAS 70 reports contained controls related to subject matter other than internal control over financial reporting (ICFR).  That problem persists today...two years after SOC reports replaced SAS 70.

We cannot really blame service organizations or their customers for thinking a report containing environmental and operational controls, tested by an independent CPA firm, provides assurance about the security and availability of their services though can we?  After all, what's wrong with relying on my data center's SSAE 16 report if I need to know that they have a diesel generator for backing up commercial power in case there is a power outage, and the report includes that testing?  The same thing goes for having UPS units, fire extinguishers, raised flooring, etc.

The problem is that these things have nothing to do with my data center's role in assuring the accuracy of my financial statements, and they are not supposed to be included in the report.  To comply with their professional standards, every CPA must require their clients to remove non-ICFR controls.  Yet two years after the launch of SOC reports, every SSAE 16 report I have seen contains non-ICFR controls, and the auditor has issued an opinion as to their effectiveness.  I have seen guidance from CPA firms that list removal of these kinds of controls as optional, and have clients who tell me their CPA firm has never even mentioned the need for a re-evaluation of their controls for ICFR applicability.

At the risk of sounding like the annoying guy who corrects people's use of the word irregardless, I will say the following:


  • If you are a company relying on service providers, and your service provider gives you their SSAE 16 report as assurance that their services are secure and available, demand a SOC 2 report, or walk away.  
  • If you are a service provider, and your CPA firm has not walked you through re-evaluation of your controls for ICFR applicability, contact me, or a CPA firm that will help you through that process.  
  • If you are a CPA firm who has clients who still want to include blatantly non-ICFR controls in their SSAE 16 reports, then have the courage to say you will not opine on them this year, and that they must be moved to the other information section.

Let us all do our part to stop the misuse of SSAE 16 reports.


Thank you for the endorsement French.  It is indeed an honor to have the ear of the Gartner Risk Management analyst who first reported SAS70 abuse in 2010.

79 comments:

  1. Thanks for sharing this valuable post to my knowledge; SAS has great scope in IT industry. It’s an application suite that can change, manage & retrieve data from the variety of origin & perform statistical analytic on it.
    Regards,
    sas training in Chennai

    ReplyDelete
  2. This is really a great post. Thank you for taking time to provide us some of the useful and exclusive information with us. Keep on blogging!!

    SAS Training in Chennai

    ReplyDelete
  3. You have shared a new information.I gathered knowledge about this topic so please update more.
    Thanks,
    SAS Course in Chennai

    ReplyDelete
  4. This sort of article is fascinating and enjoyable to peruse. I cherish perusing and I am continually hunting down useful data like this.

    ReplyDelete
  5. Interesting and worth able content.It is really useful.Keep sharing more with efficient news like this.
    Bigdata Training Chennai | Hadoop Training in Chennai

    ReplyDelete
  6. A debt of gratitude is in order for the enlightening article. This is one of the best assets I have found in a long while. Pleasantly composed and incredible data. I truly can't thank you enough to share.
    ccna Training in Chennai | ccna institutes in Velachery | ccna Training institutes in Velachery

    ReplyDelete
  7. I wanted to thank you for this good read. I definitely enjoying every little bit of it I have you bookmarked to check out new stuff you post. visit website

    ReplyDelete
  8. Great article. I learned lot of things. Thanks for sharing.

    web design training institute in Chennai

    ReplyDelete
  9. The strategy you have posted on this technology helped me to get into the next level and had lot of information in it. The angular js programming language is very popular which are most widely used.
    Angularjs Training in Chennai | Angularjs training Chennai

    ReplyDelete
  10. This substance makes another trust and motivation within me. A debt of gratitude is in order for sharing article this way. The way you have expressed everything above is entirely amazing. Continue blogging this way.
    DOTNET Training in Chennai | DOTNET course in Chennai | DOTNET Training Institute in Chennai

    ReplyDelete
  11. Excellent post!!!. The strategy you have posted on this technology helped me to get into the next level and had lot of information in it.
    salesforce training in chennai | salesforce training institute in chennai

    ReplyDelete
  12. This data is great and amazing. A debt of gratitude is in order for taking an ideal opportunity to talk about this, I feel upbeat about it and I adore adapting more about this theme. I utilize your manual for teach my understudies.
    Regards,
    SAS Training in Chennai | SAS Training Institute in Chennai | SAS Training Chennai

    ReplyDelete
  13. It's really a good topic to post articles, you explained well about the necessity of network virtualization :)
    DOT NET Training in Chennai|DOT NET Training Institutes in Chennai

    ReplyDelete
  14. Informative and interesting which we share with you so i think so it is very useful and knowledgeable. I would like to thank you for the efforts. like this

    ReplyDelete
  15. Useful post.Thanks fro taking time to share this post.Continue sharing more like this.
    Regards,
    SAS Training in Chennai | SAS courses in Velachery | SAS Institutes in Velachery

    ReplyDelete
  16. Just tripped into this and thought of sharing this analogy...
    I have seen SOC1/ISAE3402 reports saying that the audit used "selected controls from [insert security standard here]". It makes me wonder about why the vendor didn't select all of them??

    A bit like saying that your spouse is faithful "on selected occasions"... Not very reassuring, is it?

    ReplyDelete
  17. Really Nice Blog. Thank you for Sharing. We are the best erp software providers in chennai. For more details call +91 9677025199 or email us on info@bravetechnologies.in ERP in Chennai | ERP Providers in Chennai

    ReplyDelete
  18. The best thing is that your blog really informative thanks for your great information!
    erp providers in chennai

    ReplyDelete
  19. Thanks for your informative blog!!! Keep on updating your with such awesome information.

    SAS Online Training |
    Tableau Online Training|
    R Programming Online Training|

    ReplyDelete
  20. Thank you for your post. This is excellent information. It is amazing and wonderful to visit your site.
    Six Sigma Certification Training in Chennai | Six Sigma Exam Center in Chennai | Six Sigma Green Belt Training in Chennai

    ReplyDelete
  21. Interesting post! This is really helpful for me. I like it! Thanks for sharing!

    Webseiten Gestaltung Lüdenscheid

    ReplyDelete

  22. I'm no longer positive where you are getting your info, however good topic. I needs to spend a while learning much more or understanding more. Thanks for excellent information I used to be searching for this info for my mission. capital one login

    ReplyDelete
  23. This comment has been removed by the author.

    ReplyDelete
  24. The website is looking bit flashy and it catches the visitors eyes. A design is pretty simple .
    office 2010 professional plus key deutsch

    ReplyDelete
  25. Your website content nice nice and interesting to observe.
    Internet Marketing Dienstleistungen

    ReplyDelete
  26. Pretty blog.. I found some useful information in your blog, it was awesome to read, thanks for sharing this great content to my vision, keep sharing. Pretty article! I found some useful information in your blog, it was awesome to read, thanks for sharing this great content to my vision, keep sharing.Android Training Institute in Chennai | IOS Training Institute in Chennai | Core Java Training Institute in Chennai

    ReplyDelete
  27. I am reading your post from the beginning, it was so interesting to read & I feel thanks to you for posting such a good blog, keep updates regularly. 
No.1 Software Testing Training Institute in Chennai | Best Selenium Training Institute in Chennai | ISTQB Certification Center in Velachery

    ReplyDelete
  28. Pretty.. The information you shared is very effective for learners I have got some important suggestions from it. No.1 Image Processing Project Center in Chennai | Best Image Processing Project Center in Velachery

    ReplyDelete
  29. Expected to form you a next to no word to thank you once more with respect to the decent recommendations you've contributed here.
    big data training in Chennai

    ReplyDelete
  30. This comment has been removed by the author.

    ReplyDelete
  31. Great Blog, you have posted something new compared to others, I read many article related to this topic but no one explain like this much of clear manner

    white label website builder

    mobile website builder

    ReplyDelete
  32. Thank you a lot for providing individuals with a very spectacular possibility to read critical reviews from this site.
    Best Hadoop Training Institute In chennai

    amazon-web-services-training-institute-in-chennai

    ReplyDelete
  33. I like the helpful info you supply on your articles. I will bookmark your blog and take a look at once more right here regularly. I am rather certain I'll be told lots of new stuff proper right here! Best of luck for the following! yahoo email login

    ReplyDelete
  34. I have to voice my passion for your kindness giving support to those people that should have guidance on this important matter.
    Best Python training Institute in chennai

    ReplyDelete
  35. i found your blog really interesting, irregardless. SAS training in Chennai

    ReplyDelete
  36. The whole Content was a great harmony of theory and practice giving the opportunity to put what you learn into practice.

    Big data training in chennai | Hadoop training in chennai

    ReplyDelete
  37. Amazing post.Thanks for your details and explanations..I want more information from your side.Thank you
    hr and payroll software in chennai

    ReplyDelete
  38. This is an awesome post.Really very informative and creative contents. These concept is a good way to enhance the knowledge.I like it and help me to development very well.Thank you for this brief explanation and very nice information.Well, got a good knowledge.
    python training in chennai | python training in bangalore

    python online training | python training in pune

    python training in chennai | python training in bangalore

    python training in tambaram | python training in velachery

    ReplyDelete
  39. Wow it is really wonderful and awesome thus it is very much useful for me to understand many concepts and helped me a lot. it is really explainable very well and i got more information from your blog.


    rpa training in Chennai | rpa training in velachery

    rpa training in tambaram | rpa training in sholinganallur

    rpa training in Chennai | rpa training in pune

    rpa online training | rpa training in bangalore

    ReplyDelete
  40. Wow, Excellent post. This article is really very interesting and effective.The article you have shared here very awesome. I really like and appreciated your work. I read deeply your article, the points you have mentioned in this article are useful.

    iOS Training
    iOS Training in Chennai

    ReplyDelete
  41. Document verification is the process of ensuring that documents presented by prospective employees are genuine and that the holder is the rightful owner 검증사이트

    ReplyDelete
  42. Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging.
    python training in annanagar
    python training in chennai
    python training in chennai
    python training in Bangalore

    ReplyDelete
  43. Read all the information that i've given in above article. It'll give u the whole idea about it.
    Devops training in sholinganallur
    Devops training in velachery

    ReplyDelete
  44. Awesome post. Really you are shared very informative concept... Thank you for sharing. Keep on updating...

    Guest posting sites
    Education

    ReplyDelete
  45. The blog you had post is verymuch useful for us to know about the Web designing. thanks for your information sharing ith us.
    Web Designing Institute in Coimbatore
    Web Designing Course
    Web Design Classes
    Website Design Course
    Learning Web Design

    ReplyDelete
  46. Awwsome informative blog ,Very good information thanks for sharing such wonderful blog with us ,after long time came across such knowlegeble blog. keep sharing such informative blog with us.
    Airport Ground Staff Training Courses in Chennai | Airport Ground Staff Training in Chennai | Ground Staff Training in Chennai

    ReplyDelete
  47. Hmm, it seems like your site ate my first comment (it was extremely long) so I guess I’ll just sum it up what I had written and say, I’m thoroughly enjoying your blog. I as well as an aspiring blog writer, but I’m still new to the whole thing. Do you have any recommendations for newbie blog writers? I’d appreciate it.

    Best Selenium Training in Chennai | Selenium Training Institute in Chennai | Besant Technologies

    Selenium Training in Bangalore | Best Selenium Training in Bangalore

    AWS Training in Bangalore | Amazon Web Services Training in Bangalore

    ReplyDelete
  48. Some us know all relating to the compelling medium you present powerful steps on this blog and therefore strongly encourage contribution from other ones on this subject while our own child is truly discovering a great deal. Have fun with the remaining portion of the year.
    Java training in Bangalore | Java training in Marathahalli | Java training in Bangalore | Java training in Btm layout

    Java training in Bangalore | Java training in Marathahalli | Java training in Bangalore | Java training in Btm layout

    ReplyDelete
  49. Great Article… I love to read your articles because your writing style is too good, its is very very helpful for all of us and I never get bored while reading your article because, they are becomes a more and more interesting from the starting lines until the end.
    Online DevOps Certification Course - Gangboard | Java online training

    ReplyDelete
  50. I found your blog while searching for the updates, I am happy to be here. Very useful content and also easily understandable providing.. Believe me I did wrote an post about tutorials for beginners with reference of your blog. 
    python course in pune | python course in chennai | python course in Bangalore

    ReplyDelete
  51. Thank you very much for writing such an interesting article on this topic. This has really made me think and I hope to read more. suojaa yksityisyytesi verkossa

    ReplyDelete
  52. I don’t have time to go through it all at the minute but I have saved it and also added in your RSS feeds, so when I have time I will be back to read more, Please do keep up the awesome job.
    nebosh course in chennai

    ReplyDelete
  53. I don’t have time to go through it all at the minute but I have saved it and also added in your RSS feeds, so when I have time I will be back to read more, Please do keep up the awesome job.
    fire and safety course in chennai

    ReplyDelete