SSAE 16 is a common term used in the data center world. Many people have heard of it, but don’t really understand what it is. Here is a short explanation of what it is. You can always find more information on the AICPA website.


In short, a SSAE 16 audit reports on the design and effectiveness of a service provider’s controls relevant to customers’ financial and security reporting. The former AICPA (American Institute of Certified Public Accountants) standard, SAS 70, did not set standards for data center excellence; it just reported on the controls and processes in place as described by a data center. The new AICPA standard, SSAE 16, strengthens the report by providing criteria for the evaluation of controls and processes. A Type 1 audit determines the effectiveness of the service provider’s controls according to the service provider’s description and assertion. A Type 2 audit determines the effectiveness of the controls and tests the accuracy of the service provider’s description and assertion, as well as the implementation and effectiveness of controls over a specific period of time.

Many companies renting space in a colocation data center require this certification. You can ask the Provider to see a document stating they completed the audit, or you can ask to see a copy of the report. Sometimes they will not e-mail or give you a copy of the report, so they may ask that you come in their office to review it. If you are interested in more information on IsoFusion’s SSAE 16 certification please contact or call 1-877-556-9711.