The AICPA’s framework for assessing the reliability of a cloud provider’s technology and systems controls has won the endorsement of the Cloud Security Alliance (CSA), a not-for-profit coalition with members including Google, Microsoft, Ernst & Young, Deloitte, and PwC.
The AICPA is a CSA affiliate member.
In a position paper released Monday, the CSA threw its support behind one of the AICPA’s three Service Organization Control (SOC) reports. The AICPA’s SOC 2 report lays out guidelines for evaluating how a cloud provider’s controls and other safeguards affect the security, processing integrity, and operating availability of the provider’s systems, as well as the privacy and confidentiality of data moving through those systems.
Specifically, the CSA position paper endorses the second of two types of SOC 2 reports. The type 2 report assesses a cloud service provider’s controls over a period of time, while a type 1 report performs the assessment for a single point in time. The CSA, which announced the endorsement Monday at the opening of its annual security summit in San Francisco, says in its position paper that “for most cloud providers, a type 2 SOC 2 attestation examination conducted in accordance with AT section 101 of the AICPA attestation standards is likely to meet the assurance and reporting needs of the majority of users of cloud services, when the criteria for the engagement are supplemented by the criteria in the CSA Cloud Controls Matrix,” a framework CSA provides for assessing the overall security risk of a cloud provider.
AT Section 101 provides the basis for the SOC 2 and SOC 3 reports. SOC 3 essentially is a condensed version of SOC 2 report designed for public consumption. Under AT Section 101, a cloud provider’s controls are evaluated using the trust services principles and criteria for security, availability, processing integrity, confidentiality, or privacy.
In its position paper, the CSA says it chose to endorse SOC 2 after a “careful consideration of alternatives.”
The Alliance praised SOC 2 because it:
- Utilizes AT Section 101, a mature standard for reporting.
- Allows for immediate adoption of the CCM as additional criteria and the flexibility to update the criteria as technology and market requirements change;
- Provides for robust reporting on the cloud service provider’s description of its system, and on the cloud service provider’s controls, including a description of the service auditor’s tests of controls in a format very similar to the now-obsolete Statement on Auditing Standards (SAS) No. 70 reporting format, and current Statement on Standards for Attestation Engagements (SSAE) No. 16 (SOC 1) reporting, thereby facilitating market acceptance.
“The cloud can create great efficiencies for businesses, but it also introduces challenges and complexities for those businesses and their stakeholders who rely on the information’s integrity, security, and privacy,” said Susan Coffey, CPA, CGMA, the AICPA’s senior vice president–Public Practice & Global Alliances, in a news release. “We’re delighted that the Cloud Security Alliance has given its stamp of approval to Service Organization Control Reports as a mechanism to meet this reporting challenge.”
The AICPA introduced the SOC reports in 2011, when the Institute replaced the widely used SAS No. 70 with two standards, SSAE No. 16 for service auditors and a new SAS for user auditors. The SSAE No. 16 standard provides the basis for SOC 1 reports and, like SAS No. 70, focuses on guidance for auditors assessing financial statement controls at service organizations (see “Explaining SOC: Easy as 1-2-3,” CPA Insider, June 11, 2012).
The CSA’s position paper provides guidance on when to use a SOC 1 report, when to use a SOC 2 report, and when both might be appropriate. The paper resulted from close collaboration between the AICPA and CSA in working toward a shared goal of increased transparency and assurance in the cloud-computing field.
—Jeff Drew (firstname.lastname@example.org) is a JofA senior editor.