CSA Position Paper on AICPA Service Organization Control Reports

Similar documents
Service Organization Controls. Managing Risks by Obtaining a Service Auditor s Report

Service Organization Controls. Managing Risks by Obtaining a Service Auditor s Report

Service Organization Control Reports

FAQs New Service Organization Standards and Implementation Guidance

The Changing SAS 70 Landscape Dan Hirstein Director Rebecca Goodpasture Senior Manager Deloitte & Touche LLP January 13, 2011

SERVICE ORGANIZATION CONTROL REPORTS SM. Formerly SAS 70 Reports

Robert Brammer. Senior Advisor to the Internet2 CEO Internet2 NET+ Security Assessment Forum. 8 April 2014

Goodbye, SAS 70! Hello, SSAE 16!

Small Business Working Group. Charter

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

Open Certification Framework. Vision Statement

Service Organization Control (SOC) reports What are they?

Cybersecurity and the AICPA Cybersecurity Attestation Project

SECTION I INDEPENDENT SERVICE AUDITOR S REPORT

SSAE 16 and ISAE 3402: Preparing for New Service Company Control Standards Mastering Requirements Governing Your Next Controls Report

GRC Stack Research Sponsorship

SAS No. 70, Service Organizations

SSAE 16 & SAS 70 A Primer on Changes to Service Organization Audit Standards

Information for Management of a Service Organization

Understanding ISO and Preparing for the Modern Era of Cloud Security

SOC Readiness Assessments. SOC Report - Type 1. SOC Report - Type 2. Building Trust and Confidence in Third-Party Relationships

Understanding SOC Reports for Effective Vendor Management. Jason T. Clinton January 26, 2016

How To Be A Successful Compliance Officer

A view from the Cloud Security Alliance peephole

Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security

Orchestrating the New Paradigm Cloud Assurance

Cloud Computing An Auditor s Perspective

New Relic EU Data Protection Whitepaper

Audit, Review, Compilation, and Preparation of Financial Statements

A Flexible and Comprehensive Approach to a Cloud Compliance Program

G24: Audits of Controls at a Service Organization: New Standards SSAE 16 and ISAE 3402 Duff Donnelly and Jeffrey Spivack, Grant Thornton LLP

Farewell to SAS 70. What you need to know about the New Standard for Service Organization Reporting

SOC 3 for Security and Availability

Software Defined Perimeter Working Group. SDP Hackathon Whitepaper

OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT

SECURITY AND EXTERNAL SERVICE PROVIDERS

Whitepaper. Canopy Security. Simplicity, Agility, Transparency. An Atos company. Powered by EMC 2 and VMware

SUPPLY CHAIN ASSURANCE FRAMEWORK: THE SUPPLY CHAIN STANDARDS TRANSLATOR

THE BLUENOSE SECURITY FRAMEWORK

Auditing Cloud Computing and Outsourced Operations

Protecting Data and Privacy in the Cloud

SOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS

ACL ANALYTICS. Installation and Activation Guide

Frequently asked questions: SOC 2 and 3

An Overview of Data Management

SOC 3 for Security and Availability

ASSESSMENT REPORT Federal PKI Compliance Report September 6, 2013

Shared Service System Audits: What User Management and Auditors Need to Know

Paxata Security Overview

Cloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, 2015

White Paper DocuWare Cloud. Version 2.0

TOOLS and BEST PRACTICES

Compliance, Audits and Fire Drills: In the Way of Real Security?

Service Organization Control (SOC) Reports

SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch

Wrapping Audit Arms around the Cloud Georgia 2013 Conference for College and University Auditors

Questions from GAQC Conference Call The Impact of SAS 112 on Governmental Financial Statement Audits January 4, 2007

White Paper How Noah Mobile uses Microsoft Azure Core Services

Third party assurance services

ca IT Leaders Forum Working in the Cloud using the new ISO/IEC/ITU-T Cloud Computing Standards Dr David Ross, Chief Information Security Officer,

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

Cloud Computing: Opportunities, Challenges, and Solutions. Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University

CLOUD COMPUTING DEMYSTIFIED

Need to reassure customers that your cloud services are secure? Inspire confidence with STAR Certification from BSI

Effective Monitoring of Outsourced Plan Recordkeeping and Reporting Functions

Copyright 2015, American Institute of Certified Public Accountants, Inc. All Rights Re... STATEMENT ON STANDARDS FOR CONSULTING SERVICES

Need to reassure customers that your cloud services are secure? Inspire confidence with STAR Certification from BSI

Cloud Computing What Auditors need to know

Cloud Computing Thunder and Lightning on Your Horizon?

The Cloud Security Alliance

IAASB Main Agenda (June 2010) Agenda Item. April 28, 2009

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

Transcription:

CSA Position Paper on AICPA Service Organization Control Reports February 2013

2013, Cloud Security Alliance. All rights reserved. You may download, store, display on your computer, view, print, and link to the Cloud Security Alliance Position Paper on AICPA Service Organization Control Reports at http://www.cloudsecurityalliance.org, subject to the following: (a) the Document may be used solely for your personal, informational, non-commercial use; (b) the Document may not be modified or altered in any way; (c) the Document may not be redistributed; and (d) the trademark, copyright or other notices may not be removed. You may quote portions of the Document as permitted by the Fair Use provisions of the United States Copyright Act, provided that you attribute the portions to the Cloud Security Alliance Position Paper on AICPA Service Organization Control Reports (2013). 2013 Cloud Security Alliance - All Rights Reserved. 2

Contents Acknowledgments...4 1.0 Introduction...5 2.0 The Cloud Security Alliance Position...5 3.0 Further Background...6 4.0 Conclusion...8 5.0 Additional Resources...8 2013 Cloud Security Alliance - All Rights Reserved. 3

Acknowledgments Lead Author David Barton, Principal, UHY LLP Contributors Phil Agcaoili, CISO, Cox Communications Daniele Catteddu, Managing Director EMEA, Cloud Security Alliance Chris Halterman, Executive Director, Ernst & Young LLP John Howie, Chief Operating Officer, Cloud Security Alliance Audrey Katcher, Partner, RubinBrown, LLP Jim Reavis, Executive Director, Cloud Security Alliance Daniel Schroeder, Partner, Habif, Arogeti, & Wynne, LLP 2013 Cloud Security Alliance - All Rights Reserved. 4

1.0 Introduction In June 2011, the American Institute of Certified Public Accountants (AICPA) issued SSAE 16, which replaced SAS 70, an auditing standard used by CPAs reporting on controls at a service organization, including information technology controls. At that time, the AICPA introduced three Service Organization Control (SOC) reporting options: SOC 1 SM, SOC 2 SM and SOC 3 SM reports. The new AICPA reporting framework was created to eliminate confusion that management of a service organization (including management of cloud providers) might have regarding the type of engagement a CPA could perform to provide their customers with assurance on the service organization s controls. Part of this confusion stems from the lack of knowledge of customers, potential customers, and service organizations regarding the purpose of each type of SOC report and its intended use. Figure 1 - Overview of the Reporting Options For additional information: See the link below in Additional Resources The Cloud Security Alliance (CSA) has drafted this position paper as a means of educating its members and providing guidance on selecting the most appropriate reporting option. 2.0 The Cloud Security Alliance Position After careful consideration of alternatives, the Cloud Security Alliance has determined that for most cloud providers, a type 2 SOC 2 attestation examination conducted in accordance with AT section 101 of the AICPA attestation standards is likely to meet the assurance and reporting needs of the majority of users of cloud services, when the criteria for the engagement are supplemented by the criteria in the CSA Cloud Controls Matrix (CCM). AT 101 provides the following key strengths for the cloud industry s consideration: AT 101 is a mature attest standard (it serves as the standard for SOC 2 and SOC 3 reporting) Allows for immediate adoption of the CCM as additional criteria and the flexibility to update the criteria as technology and market requirements change Provides for robust reporting on the service provider s description of its system, and on the service provider s controls, including a description of the service auditor s tests of controls in a format very 2013 Cloud Security Alliance - All Rights Reserved. 5

similar to the now obsolete SAS 70 reporting format, and current SSAE 16 (SOC 1) reporting, thereby facilitating market acceptance 3.0 Further Background Although many cloud providers currently issue SOC 1 (SSAE 16) reports, which are intended for reporting on controls over financial reporting, the services being provided do not typically have a direct effect on, or relevance to, internal control over financial reporting (ICFR). If the controls being examined are not directly relevant to ICFR, then SOC 2 is a more suitable reporting standard. SOC 2 reports cover controls relevant to the security, availability, or processing integrity of a system or the confidentiality or privacy of the information processed by the system. The standard for performing and reporting on such engagements is provided in AT section 101 and the AICPA Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2). Controls at private cloud and SaaS providers may affect their customers internal control over financial reporting, especially when the service (or software) involves initiating, authorizing, recording, processing, or reporting financial transactions that are included in the user entities financial statements. Each cloud provider should determine if its services affect the items above and should determine whether a SOC 1 (SSAE 16) report is appropriate for its circumstances. In some cases, the cloud provider may need to obtain both a SOC 1 (SSAE 16) report (for those controls that affect ICFR) and a SOC 2 (AT 101) report to adequately address all of the controls that are important to their customers. This conclusion is supported by the AICPA Technical Practice Aid titled TIS Section 9530: Service Organization Controls Reports, published in November 2011. Paragraph.19 of this publication states: Issuing Separate Reports When Performing Both a SOC 1 and SOC 2 Engagement for a Service Organization Inquiry Going forward, will service organizations that include control objectives relevant to user entities ICFR along with control objectives that are not relevant to user entities ICFR in their descriptions need to request two separate reports SOC 1 SM and SOC 2 SM? Reply Yes. Service organizations will now need to request two separate SOC reports if the service organization would like to address control objectives relevant to user entities ICFR and control objectives (criteria) that are not relevant to user entities ICFR. See paragraph 1.23 of the SOC 2 SM guide. 2013 Cloud Security Alliance - All Rights Reserved. 6

SOC 2 engagement is appropriate for reporting on controls relevant to the security, availability, or processing integrity of a system or the confidentiality, or privacy of the information processed by the system. When deciding which reporting approach is best for your environment, it is important to remember that non-financial reporting controls, such as controls relevant to security, availability, processing integrity, confidentiality, and privacy, are intended to be covered in a SOC 2 report, not a SOC 1 report. Figure 2 - Selecting SOC 1 or SOC 2 The AICPA Technical Practice Aid, TIS Section 9520: SSAE No. 16, Reporting on Controls at a Service Organization, provides clarification: Reporting on Controls at a Service Organization Relevant to Subject Matter Other Than User Entities ICFR Inquiry May AT section 801 be used for reporting on a service organization s controls relevant to subject matter other than user entities ICFR? Reply No. AT section 801 does not apply to examinations of controls over subject matter other than user entities ICFR. The increasing use of cloud computing companies (that provide user entities with on-demand network access to a shared pool of computing resources, such as networks, servers, storage, applications, and services) has created an increasing demand for CPAs to report on a cloud computing service organization s controls relevant to subject matter other than user entities ICFR. 2013 Cloud Security Alliance - All Rights Reserved. 7

4.0 Conclusion By providing this position paper, the Cloud Security Alliance hopes to provide relevant and timely guidance to its members. The Cloud Security Alliance supports the use of SOC 2 engagements and the ability to use the Cloud Controls Matrix as additional suitable criteria in order to produce an attestation report that will provide the most pertinent and comprehensive evaluation of controls for customers and users of cloud computing services. 5.0 Additional Resources SOC Whitepaper: http://www.aicpa.org/interestareas/informationtechnology/resources/trustservices/downloadabledocument s/10957-378%20soc%20whitepaper.pdf TIS Section 9520: http://www.aicpa.org/interestareas/frc/downloadabledocuments/tis_sections/tis_section_9520.pdf TIS Section 9530: http://www.aicpa.org/interestareas/frc/downloadabledocuments/tis_sections/tis_section_9530.pdf 2013 Cloud Security Alliance - All Rights Reserved. 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information