Cloud Security Alliance endorses AICPA SOC report


The AICPA’s framework for assessing the reliability of a cloud provider’s technology and systems controls has won the endorsement of the Cloud Security Alliance (CSA), a not-for-profit coalition with members including Google, Microsoft, Ernst & Young, Deloitte, and PwC.

The AICPA is a CSA affiliate member.
In a position paper released Monday, the CSA threw its support behind one of the AICPA’s three Service Organization Control (SOC) reports. The AICPA’s SOC 2 report lays out guidelines for evaluating how a cloud provider’s controls and other safeguards affect the security, processing integrity, and operating availability of the provider’s systems, as well as the privacy and confidentiality of data moving through those systems.

Specifically, the CSA position paper endorses the second of two types of SOC 2 reports. The type 2 report assesses a cloud service provider’s controls over a period of time, while a type 1 report performs the assessment for a single point in time. The CSA, which announced the endorsement Monday at the opening of its annual security summit in San Francisco, says in its position paper that “for most cloud providers, a type 2 SOC 2 attestation examination conducted in accordance with AT section 101 of the AICPA attestation standards is likely to meet the assurance and reporting needs of the majority of users of cloud services, when the criteria for the engagement are supplemented by the criteria in the CSA Cloud Controls Matrix,” a framework CSA provides for assessing the overall security risk of a cloud provider.

AT Section 101 provides the basis for the SOC 2 and SOC 3 reports. SOC 3 essentially is a condensed version of SOC 2 report designed for public consumption. Under AT Section 101, a cloud provider’s controls are evaluated using the trust services principles and criteria for security, availability, processing integrity, confidentiality, or privacy.

In its position paper, the CSA says it chose to endorse SOC 2 after a “careful consideration of alternatives.”

The Alliance praised SOC 2 because it:

  • Utilizes AT Section 101, a mature standard for reporting.
  • Allows for immediate adoption of the CCM as additional criteria and the flexibility to update the criteria as technology and market requirements change;
  • Provides for robust reporting on the cloud service provider’s description of its system, and on the cloud service provider’s controls, including a description of the service auditor’s tests of controls in a format very similar to the now-obsolete Statement on Auditing Standards (SAS) No. 70 reporting format, and current Statement on Standards for Attestation Engagements (SSAE) No. 16 (SOC 1) reporting, thereby facilitating market acceptance.

“The cloud can create great efficiencies for businesses, but it also introduces challenges and complexities for those businesses and their stakeholders who rely on the information’s integrity, security, and privacy,” said Susan Coffey, CPA, CGMA, the AICPA’s senior vice president–Public Practice & Global Alliances, in a news release. “We’re delighted that the Cloud Security Alliance has given its stamp of approval to Service Organization Control Reports as a mechanism to meet this reporting challenge.”

The AICPA introduced the SOC reports in 2011, when the Institute replaced the widely used SAS No. 70 with two standards, SSAE No. 16 for service auditors and a new SAS for user auditors. The SSAE No. 16 standard provides the basis for SOC 1 reports and, like SAS No. 70, focuses on guidance for auditors assessing financial statement controls at service organizations (see “Explaining SOC: Easy as 1-2-3,” CPA Insider, June 11, 2012).

The CSA’s position paper provides guidance on when to use a SOC 1 report, when to use a SOC 2 report, and when both might be appropriate. The paper resulted from close collaboration between the AICPA and CSA in working toward a shared goal of increased transparency and assurance in the cloud-computing field.

Jeff Drew ( ) is a JofA senior editor. 


How to make the most of a negotiation

Negotiators are made, not born. In this sponsored report, we cover strategies and tactics to help you head into 2017 ready to take on business deals, salary discussions and more.


Will the Affordable Care Act be repealed?

The results of the 2016 presidential election are likely to have a big impact on federal tax policy in the coming years. Eddie Adkins, CPA, a partner in the Washington National Tax Office at Grant Thornton, discusses what parts of the ACA might survive the repeal of most of the law.


Deflecting clients’ requests for defense and indemnity

Client requests for defense and indemnity by the CPA firm are on the rise. Requests for such clauses are unnecessary and unfair, and, in some cases, are unenforceable.