Controls at a Service Organization refer to the controls that are in place at your company.
Many of these controls should be covered within your policies and procedures, as they should reflect an accurate depiction of the various processes that occur within your organization. Accurate policies and procedures (P&P) should be designed, implemented, and documented by the service organization. When the service auditor is testing the effectiveness of your control objectives and activities, your P&P support the achievement of the control objectives. While P&P are not enough to determine that a process is operating effectively, they can support the design effectiveness of a control.
Typically a service auditor will perform testing, beyond P&P, around the control objectives and activities to support the fact that employees are performing their duties in accordance with the P&P, because without the additional testing, it would be impossible have comfort that they are actually being followed.
Simply put, good policies and procedures will only get you so far during an audit because you still need to prove to the auditors that the functions management say are being performed are being carried out correctly.
SSAE 16 Data Centers
- Equinix Has SSAE 16 Compliance For 39 Data Centers - The Data Center Journal (blog)
- NetStandard Upgrades Kansas City Data Center to 10GigE Connectivity - MarketWatch (press release)
- Equinix Announces SSAE 16 Standards Compliance for 39 Data Centers in North ... - MarketWatch (press release)
- DuPont Fabros, IO Complete SSAE 16 Audits - Data Center Knowledge
- DuPont Fabros Technology, Inc. Announces Successful Completion of 2011 SSAE 16 ... - Sacramento Bee
- IO Receives SSAE 16 Type 2 Certification for Modular Data Centers - MarketWatch (press release)