The Cloud: Just One SOC Opportunity
It's no secret that an organization's confidential information is vulnerable in today's world of electronic storage. If you have any doubt, just ask The New York Times or The Wall Street Journal – both of which recently reported having their computer systems hacked.
Organizations transferring storage and/or the processing of their data to cloud-based systems are faced with the added complexities of how to best maintain ownership and control data while continuing to assure customers they have controls in place to keep data secure. How can organizations provide their stakeholders with comfort related to this transferred information?
Service Organization Control ReportsSM represent the intersection of cloud computing and the trusted advisor role of the CPA. In 2011, the AICPA introduced three SOC reporting options: SOC 1SM, SOC 2SM and SOC 3SM reports, creating a great opportunity for CPAs to assert their knowledge and capabilities related to examining and reporting on controls at service organizations, including cloud service providers.
The SOC 2 report was recently endorsed by the Cloud Security Alliance in a new position paper and has been called “the real thing” by industry experts. Testing controls over a period of time, SOC 2 follows proven procedures in a proven environment by:
- Reporting on controls at a service organization relevant to security, availability, processing integrity, confidentiality or privacy;
- Using the trust services criteria; and
- Including a description of the service auditor’s tests of controls and results.
The result is that service organizations—and their customers—will gain added comfort knowing the service organization controls have been assured through a CPA's examination and opinion.
Assuring cloud service providers’ systems is a ripe opportunity for CPAs to grow their practices in a niche service area. While many vendors can offer certifications of service organizations, the results they provide may be very high-level and their approach may not be at the same depth and breadth of an examination performed by a CPA. That’s why we CPAs need to educate our clients and prospects about why a CPA is the best professional for the job. CPAs have the necessary skills, the reputation and experience to provide quality results. In addition to a more thorough report, SOC reporting also provides a logo marketing the existence of the report for service organizations to display on their websites.
In addition to providing an added revenue stream for accounting practices, performing SOC engagements can:
- Empower and energize CPAs to learn and hone new skills;
- Create incentive for new hires and attract new, technologically-savvy talent; and
- Help build year-round work.
If you’re looking to take advantage of the increasing number of organizations using cloud-based services or are looking for practice growth opportunities in this area, check out the AICPA’s SOC Reports website. There you’ll find a toolkit to help you develop a niche SOC practice, a toolkit for service organizations so they can build trust and confidence in their service delivery and controls among their customers, and a wealth of other resources, publications and continuing education for CPAs. You can also find additional resources—from webcasts to tips to better understand SOC reporting—from the AICPA’s Information Technology & Technology Assurance Section. You might also consider attending the AICPA’s SOC School: Advanced Guidance for Successful Engagements to learn more.
How important are security and other safeguards for your clients who are considering a move to the cloud?
Audrey Katcher, CPA, CITP, Risk Services Partner and Cloud Assurance Advisor, RubinBrown LLP. Audrey provides internal and cloud control consulting and SOC services. She serves on the AICPA Information Management and Technology Assurance Committee, the SOC sub-committee, the AICPA Data Integrity Task Force and the Cloud Security Alliance.