CenturyLink provides an annual Statement on Standards for Attestation Engagements (SSAE) No. 16. The certification validates CenturyLink’s commitment to operational excellence and client satisfaction. The SSAE 16 SOC 1 Type 2 report indicates that an independent service auditor has formally evaluated and issued an opinion on the description of selected CenturyLink systems. The opinion includes the suitability of the design and the operating effectiveness of applicable controls. This audit report includes controls related to:
- Managed security services
- Change management
- Service delivery
- Support services
- Environmental services
- Physical security and facilities management
- Managed hosting services
- Managed storage
- Backup services
Thirteen of CenturyLink global data centers are independently audited in accordance with SSAE 16 and have published a Service Organization Controls 1 (SOC 1), Type 2 report.
Benefits
Service Organization Controls (SOC) reports are specifically designed for organizations like CenturyLink. The reports help organizations operate their systems and provide services to their customers by building trust and confidence in their service delivery processes and controls. Each type of SOC report is designed to help meet specific needs:
SOC 1 Reports
SOC 1 Reports are conducted in accordance with the professional standard known as Statement on Standards for Attestation Engagements (SSAE) No. 16, simply known as SSAE 16. These reports are specifically intended to meet the needs of the customers of CenturyLink. There are two types of reports:
Type 1
Report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
Type 2
Report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.
Additionally, accompanying SSAE 16 audit guides are available to help auditors perform these engagements. The SOC 1 reporting framework uses SSAE 16 as the professional standard for issuing these reports.
Scope of SOC 1 Reports
The scope of the SOC 1 report addresses the networking and hosting services system provided by CenturyLink. The network and hosting services environment is an Information Technology General Control (ITGC) system.
Two primary features of the SOC 1 report that organizations should be aware of are:
-
Description of the “system”.
The management of the service organization is ultimately responsible for providing what's technically known as the description of the "system." The description covers the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities.
-
Written statement of assertion by management
he management of the service organization must also provide the auditor with a written statement of assertion, a document that effectively attests to a number of important provisions and clauses relating to the engagement itself. Management’s written assertion covers:
- The fair presentation of the system description.
- The suitability of the controls’ design and verification that they were implemented as of a specific date (Type I) or throughout the period (Type 2).
- The operating effectiveness of controls throughout the period (Type 2).
- The relevant changes to the system throughout the period (Type 2).
CenturyLink SOC 1 Certified Data Centers
Worldwide, CenturyLink has 59 SOC 1-compliant data centers These facilities and processes and policies have been audited by SOC 1, CSAE 3416, and/or ISO 27001 standards.
Products and Services
A variety of products and services are included in the SOC 1 report, including:
- Colocation
CenturyLink is a hands-on solutions partner that brings together the right people, industry best practices and comprehensive network and IT services for your business challenges.
- Managed Security
CenturyLink Managed Security Services provide a full complement of threat prevention, threat management, incident response and analysis services to support your hosted or on-premise enterprise security environments.
- Managed Hosting
Maintain complex IT infrastructure and applications with our comprehensive portfolio of managed hosting services including, fully manage networks, servers, storage, operating systems, and security.
- Managed Storage and Backups
Gives a range of storage options including data replication and back up/archiving. CenturyLink solutions are secure, affordable and can provide data resilience with up to 5 nines.
Use Cases for SSAE 16 Compliance
A significant number of organizations that previously underwent SAS 70 compliance will be SSAE 16 candidates. This is due in large part to the services and supporting controls in place that affect the internal control over financial reporting (ICFR) for entities utilizing CenturyLink services.
Some examples of SSAE 16 candidates are:
- Application Service Providers (ASPs)
- Credit Card Processing Platforms
- Cloud Computing, Virtualization or On-Demand Computing Services
- Internet Service Providers (ISPs)
- Web Hosting, Web Design and Development
- Social Media | Content Tagging and Aggregators
- Data Center and Colocation Providers
- Managed IT Services
- Third Party Administrators (TPAs)
- Medical Billing
- Print and Mail Delivery
- Online Fulfillment
- Transportation Services
- Tax Credit and Empowerment Services
- Payroll Services
Frequently Asked Questions
What is the difference between SOC 1 vs. SOC 2?
In the regulatory compliance world what’s a better fit for data center compliance, SOC 1 SSAE 16 reporting or SOC 2 AT 101 reporting? Both sides put forth credible merits for using either SOC 1 or SOC 2. Many firms issue both SOC 1 and SOC 2 reports for data centers.
What are some recent trends impacting the use of SOC 1 reports?
- The increasing amount of outsourced activities.
- Growth of outsourced service providers, including the following:
- Payroll functions
- Accounting functions
- Third-party retirement plan administrators
- Third-party health care administrators
- Increasing regulation, such as the Sarbanes-Oxley Act of 2002, which includes reporting on the effectiveness of internal control over financial reporting.
What are the key differences between Type I and Type II reports?
A Type I report does not include testing or an opinion related to the operating effectiveness of controls over a specified period of time.
Glossary
- Service organization or service provider
-
Organization providing the outsourced service.
- Subservice organization
-
Organization used by service organization to provide third-party services to the service organization.
- Service auditor
-
Auditor performing a SOC 1 examination of the service organization’s controls.
- User entity
-
Organization receiving the outsourced service.
- User auditors
-
External auditors of the user entity.
