CSA Endorses AICPA Reporting Framework for Evaluating Controls over Cloud Providers

The American Institute of CPA's (AICPA) framework for evaluating technology-related controls and other safeguards used by Cloud service providers has been endorsed by the Cloud Security Alliance (CSA), a not-for-profit organization that promotes the use of best practices on security assurance within Cloud computing.

The AICPA's reporting framework, known as Service Organization Control Reports (SOC), was developed in 2011 and consists of three major document types:
  1. The SOC 1 report deals with controls over financial reporting and replaces the widely used SAS 70 report.
  2. The SOC 2 report focuses on controls that bear on a service provider's security, processing integrity, and operating availability as well as the confidentiality and privacy of data moving through its systems.
  3. SOC 3 is a compressed version of the SOC 2 and is designed for public distribution. 
In a position paper released February 25, CSA said that for most Cloud providers, a SOC 2 report "is likely to meet the assurance and reporting needs of the majority of users of Cloud services, when the criteria for the engagement are supplemented by the criteria in the Cloud Controls Matrix." CSA said it made its determination after a "careful consideration of alternatives."
"Technology-related compliance and operating integrity audits are becoming increasingly important as the adoption of Cloud-based services become the norm for businesses," said Jim Reavis, executive director of the CSA. "The CSA Security, Trust & Assurance Registry (STAR), serves as the standard for demonstrating transparent alignment with CSA security best practices, and this paper is a major step forward in leveraging AICPA's popular reporting framework to consolidate attestation requirements and layer third-party trust on top of CSA STAR."
CSA's position paper offers guidance to members on when a SOC 1 report is necessary, when a SOC 2 report is called for, and when both engagement types may be required. The document is the result of a close collaboration between the AICPA and the CSA, driven by their mutual goal of improving transparency and assurance in the Cloud computing field. 
"The Cloud can create great efficiencies for businesses, but it also introduces challenges and complexities for those businesses and their stakeholders who rely on the information's integrity, security, and privacy," said Susan Coffey, CPA, CGMA, senior vice president for public practice and global alliances. "We're delighted that the Cloud Security Alliance has given its stamp of approval to Service Organization Control Reports as a mechanism to meet this reporting challenge, as well as to complement the security principles in its Cloud Controls Matrix." 
Source: February 25, 2013, AICPA News Release

You may like these other stories...

In the old days, we used to tape down receipts from our travels and submit them to accounts payable. But that was before remote employees who may live in a different city from the home office. And of course, there's all...
In 2011, electrical services and technology provider Parsons Electric in Minneapolis, Minn., decided to take its accounting to the cloud. Monica Ross, the company's director of strategic projects, talked with AWEB about...
Event Date: July 24, 2014, 2 pm ET In this presentation Excel expert David Ringstrom, CPA revisits the Excel feature you should be using, but probably aren't. The Table feature offers the ability to both boost the...

Upcoming CPE Webinars

Jul 16
Hand off work to others with finesse and success. Kristen Rampe, CPA will share how to ensure delegated work is properly handled from start to finish in this content-rich one hour webinar.
Jul 17
This webcast will cover the preparation of the statement of cash flows and focus on accounting and disclosure policies for other important issues described below.
Jul 23
We can’t deny a great divide exists between the expectations and workplace needs of Baby Boomers and Millennials. To create thriving organizational performance, we need to shift the way in which we groom future leaders.
Jul 24
In this presentation Excel expert David Ringstrom, CPA revisits the Excel feature you should be using, but probably aren't. The Table feature offers the ability to both boost the integrity of your spreadsheets, but reduce maintenance as well.