Brian Thomas
Brian Thomas

The Growing Importance of Relevant Cloud Service Provider Assurance

A new IBM survey reveals 75 percent of companies will start building some sort of cloud structure in the next two years. Here’s why your company should explore this option.

March 1, 2012
by Brian Thomas, CISA, CISSP

Perhaps your organization uses salesforce.com or other applications offered in a Software-as-a-Service (SaaS) format. You may be using Google App Engine or another Platform-as-a-Service (PaaS) provider for developing software. Infrastructure-as-a-Service (IaaS) providers, such as Rackspace and Amazon cloud services, offer extensive IT capabilities, including immense data storage capacity.

If your organization is not using any of those levels of cloud computing now, chances are it will be exploring such options soon.

According to the 2011 IBM Tech Trends Report, which surveyed more than 4,000 professionals in 93 countries and 25 industries, 25 percent of the respondents said their organizations would begin developing cloud-based applications within the next two years, while 24 percent said their organizations would utilize cloud services for virtualization or data storage within 24 months. Overall, 75 percent of those respondents said they believe their organizations will start building some form of cloud infrastructure within that time span.

The potential benefits associated with cloud computing spur such predictions. Cloud computing eliminates the fixed costs organizations face in maintaining vast in-house IT capabilities. Cloud computing enables companies to purchase “on demand” IT services to meet fluctuating needs. It’s also ramps up for business expansion easily because cloud computing services can be purchased and implemented within a day.

The easy accessibility of cloud services holds increasing appeal because of the many computing functions that now are performed with smartphones, laptops or tablets since cloud-based services can be accessed from virtually any device offering Internet connectivity.

IT Risk Considerations in the Cloud

While cloud computing offers numerous potential benefits, there are vulnerabilities and assurance concerns that accompany relying upon a cloud service provider (CSP) for various IT functions. You need to know how CSPs address data integrity, data privacy, security, system availability, system reliability, data retention and other general IT concerns. You also need to know how they address risks related to any specific compliance requirements your organizations face, including:

  • The Sarbanes-Oxley Act, as it relates to public corporations’ internal controls over financial reporting.
  • The Health Insurance Portability and Accountability Act (HIPAA), as it relates to maintaining privacy and security of protected health information (PHI).
  • The Payment Card Industry Data Security Standards (PCI DSS), as they relate to mitigating the risks of credit card fraud.

Any service level agreement (SLA) involving your organization and a CSP needs to define how general IT risks and specific compliance requirements will be met. Continued assurance is necessary regarding the effectiveness of the service provider’s internal controls over such vulnerabilities.

Attaining an Appropriate Assurance Report From a CSP

As part of the AICPA’s 2011 replacement of SAS 70 with Statement of Standards of Attestation Engagements No. 16 (SSAE 16 Reporting on Controls at a Service Organization), it also reorganized the suite of Service Organization Control (SOC) assurance reports and introduced a new option called SOC 2.

The SOC reports (as they are now called) give CPAs more options to obtain assurance reports that are more appropriate for the IT services that CSPs provide than SAS 70. The SOC reports are available in SOC 1, SOC 2 and SOC 3 formats.

A SOC 1 engagement is based on SSAE 16 and is most valuable to auditors of cloud customers’ financial statements that utilized a CSP’s SAS 70 report in the audit the customer’s financial statements, frequently to fulfill Sarbanes-Oxley requirements. The SOC 2 and SOC 3 reports are based on the AICPA’s Trust Services Principles:

  • Security. Physical and logical measures protect against unauthorized access.
  • Availability. System is available for operation and use, as specified.
  • Processing integrity. System processing is complete, accurate, timely and authorized.
  • Confidentiality. Information designated as confidential is protected, as committed or agreed.
  • Privacy. Information is collected, handled and disposed of in accordance with criteria established by the AICPA’s Generally Accepted Privacy Principles (GAPP).

The SOC 3 report (formerly SysTrust) is a general use report that is beneficial for marketing purposes. It only includes the auditor’s opinion on whether the system achieved the Trust Services principles and criteria. The report does not include supporting details and therefore provides limited value to the users who need this information.

A SOC 2 report is far more useful in fulfilling a cloud customer’s information needs. The report includes a written assertion by management regarding the description of the organization’s system and the suitability of the design of the controls and in a type 2 report, the operating effectiveness of the controls in meeting the applicable trust services criteria. The report also contains a CPA’s opinion on fairness of the presentation of the description, suitability of the controls and in a type 2 report, the operating effectiveness of the controls as well as a description of the tests of controls the service auditor performed and the test results.

One or more of the Trust Services Principles may be addressed in a SOC 2 report. That focus and flexibility enables a cloud customer to attain assurance for the trust services principles that are most relevant for the services it receives from a CSP. A professional services firm, for example, may contract with a CSP for various SaaS applications. For that firm, availability and processing integrity may be vital assurance issues.


Cloud customers that must meet PCI-DSS or HIPAA data protection requirements need assurance for a CSP’s internal controls as they relate to security, confidentiality and privacy.

By addressing such principles as they apply to disparate needs, the SOC 2 report enables us to request and attain the most relevant assurance for the concerns we face when contracting with a CSP.

Rate this article 5 (excellent) to 1 (poor). Send your responses here.

Brian J. Thomas, CISA, CISSP is a partner in advisory services for Weaver, an independent accounting firm in the Southwest with offices throughout Texas. He can be reached at 713-800-1050.