Cloud Security Alliance endorses AICPA SOC report


The AICPA’s framework for assessing the reliability of a cloud provider’s technology and systems controls has won the endorsement of the Cloud Security Alliance (CSA), a not-for-profit coalition with members including Google, Microsoft, Ernst & Young, Deloitte, and PwC.

The AICPA is a CSA affiliate member.
In a position paper released Monday, the CSA threw its support behind one of the AICPA’s three Service Organization Control (SOC) reports. The AICPA’s SOC 2 report lays out guidelines for evaluating how a cloud provider’s controls and other safeguards affect the security, processing integrity, and operating availability of the provider’s systems, as well as the privacy and confidentiality of data moving through those systems.

Specifically, the CSA position paper endorses the second of two types of SOC 2 reports. The type 2 report assesses a cloud service provider’s controls over a period of time, while a type 1 report performs the assessment for a single point in time. The CSA, which announced the endorsement Monday at the opening of its annual security summit in San Francisco, says in its position paper that “for most cloud providers, a type 2 SOC 2 attestation examination conducted in accordance with AT section 101 of the AICPA attestation standards is likely to meet the assurance and reporting needs of the majority of users of cloud services, when the criteria for the engagement are supplemented by the criteria in the CSA Cloud Controls Matrix,” a framework CSA provides for assessing the overall security risk of a cloud provider.

AT Section 101 provides the basis for the SOC 2 and SOC 3 reports. SOC 3 essentially is a condensed version of SOC 2 report designed for public consumption. Under AT Section 101, a cloud provider’s controls are evaluated using the trust services principles and criteria for security, availability, processing integrity, confidentiality, or privacy.

In its position paper, the CSA says it chose to endorse SOC 2 after a “careful consideration of alternatives.”

The Alliance praised SOC 2 because it:

  • Utilizes AT Section 101, a mature standard for reporting.
  • Allows for immediate adoption of the CCM as additional criteria and the flexibility to update the criteria as technology and market requirements change;
  • Provides for robust reporting on the cloud service provider’s description of its system, and on the cloud service provider’s controls, including a description of the service auditor’s tests of controls in a format very similar to the now-obsolete Statement on Auditing Standards (SAS) No. 70 reporting format, and current Statement on Standards for Attestation Engagements (SSAE) No. 16 (SOC 1) reporting, thereby facilitating market acceptance.

“The cloud can create great efficiencies for businesses, but it also introduces challenges and complexities for those businesses and their stakeholders who rely on the information’s integrity, security, and privacy,” said Susan Coffey, CPA, CGMA, the AICPA’s senior vice president–Public Practice & Global Alliances, in a news release. “We’re delighted that the Cloud Security Alliance has given its stamp of approval to Service Organization Control Reports as a mechanism to meet this reporting challenge.”

The AICPA introduced the SOC reports in 2011, when the Institute replaced the widely used SAS No. 70 with two standards, SSAE No. 16 for service auditors and a new SAS for user auditors. The SSAE No. 16 standard provides the basis for SOC 1 reports and, like SAS No. 70, focuses on guidance for auditors assessing financial statement controls at service organizations (see “Explaining SOC: Easy as 1-2-3,” CPA Insider, June 11, 2012).

The CSA’s position paper provides guidance on when to use a SOC 1 report, when to use a SOC 2 report, and when both might be appropriate. The paper resulted from close collaboration between the AICPA and CSA in working toward a shared goal of increased transparency and assurance in the cloud-computing field.

Jeff Drew ( ) is a JofA senior editor. 


Year-end tax planning and what’s new for 2016

Practitioners need to consider several tax planning opportunities to review with their clients before the end of the year. This report offers strategies for individuals and businesses, as well as recent federal tax law changes affecting this year’s tax returns.


News quiz: Retirement planning, tax practice, and fraud risk

Recent reports focused on a survey that gauges the worries about retirement among CPA financial planners’ clients, a suit that affects tax practitioners, and a guide that offers advice on fraud risk. See how much you know with this short quiz.


Bolster your data defenses

As you weather the dog days of summer, it’s a good time to make sure your cybersecurity structure can stand up to the heat of external and internal threats. Here are six steps to help shore up your systems.