Get off my cloud!
By Peter G. Budreski
I was introduced to "computers" as a half credit course on my way to obtaining a university commerce degree in the '70s. Punch cards, flowcharting, and data centers were the buzz-words in that day, and terms like SaaS and Cloud Computing had not even been thought of. After graduating, I considered myself fortunate to land a job with one of the "Big 8" public accounting firms. On my very first day and orientation session, I was told in no uncertain terms: Client financial information was CONFIDENTIAL. PERIOD.
Confidentiality extended in all directions. You could not tell your parents or friends where you were working, working papers were to be guarded with hardened steel locks and metal boxes at the client offices, and visiting clients to the office were met in the boardroom, never in the bull pen.
And then, along came computers into the world of public accounting. Not the head office mainframes that could generate random numbers for statistical auditing, but computers for useful things like tax returns and tools for forecasts and budgets. Being one of the juniors in the office, I was often asked to run over to the tax-return processing center with new input sheets and to pick-up completed returns. After getting the knack of doing computerized tax returns, I came to the conclusion that preparing computerized tax returns was far more civilized than having them typed out by members of the secretarial pool. Confidentially speaking, the part I could not figure out was why the tax return processing center had an open door policy and sometimes left the office door wide open. They must have known that confidentiality was important and had it all figured out. After all, I was only a junior.
Fast forward to the present. The public accounting business is a whole lot different and more efficient than it was back in the '70s. Write-up applications conveniently solved the problem of balancing lead sheets (solved in the '70s by taping the correct amount of coins to the sheet to get the reviewing partner's note cleared). Tax software is constantly being updated with new features that allow for much easier client planning and tax return document management - the client can actually have a paperless return.
It gets even better. There are services available through the Internet for the public accounting business that make the job easier. Client information, accounting software data files, and documentation can be obtained in a heartbeat. Nowadays, the buzz words like SaaS and cloud computing are a standard complement to many of the public accounting services.
What about the "C" word?
It seems like a lot of the suppliers of cloud computing that are invaluable to the public accounting industry say the same thing: "Secure - Encrypted - Confidential."
Really, now - how does one know that confidential client information will stay confidential as it gets bounced between servers, ethernet wires, and routers?
I am a proponent of applied technology and working smarter, not harder, so I am going to share the answer to this question with you.
The first thing one needs to understand is that using cloud computing in public accounting has to be thought of in the same way as saying, "The Titanic was unsinkable." The Titanic sunk, but many other ocean going vessels never do. Why? Everything involves a degree of risk, and cloud computing is no different. The better purveyors of cloud computing employ best practices and protocols to allow for trouble free operations, in a fashion similar to successful shipping companies whose fleet never has a marine tragedy. Equally important is the fact that competent operators realize that secure and proper cloud computing is an ongoing process and not an event.
First, the standard with which a cloud computing provider should aim to be in compliance is SAS 70: Service Audit Reports. SAS 70 is a recognized auditing standard developed by the AICPA that culminates in an opinion that the provider of services has been through an in-depth audit of the company's control objectives and activities including those involving information technology and related processes.
SAS 70 can occur in two different formats: Type I and Type II. In simple terms, Type I is a snapshot style of report, whereas Type II is an "ongoing" process and considered to be the more rigorous of the two styles of certification." Smart purveyors of cloud computing always keep their Type II SAS 70 filings up to date.
Additionally, the provider of the cloud computing service should be able to answer the following:
- Are there multiple locations where customer information is stored in multiple copies? Are locations disclosed? They should not be.
- Is adequate physical security employed where information is stored? The closer to military grade like Fort Knox, the better.
- Is the storage of information domestic or foreign? Storage of information in a foreign jurisdiction may pose additional considerations.
- Why is the cloud computing provider in business? To service copious amounts of individual's family pictures or a legitimate provider of a business service? Chances are the business provider is savvier at providing a more secure service.
- Is the provider of the cloud computing able to state that their company's service meets or exceeds the highest government standards for such things as privacy of information?
- Is there end-to-end encryption from sender to cloud provider to end user?
- Does the provider of cloud computing provide for tracking of information insofar as users (i.e. audit trail) are concerned?
The assessment of a cloud computing provider's ability to deliver a secure, reliable service will be contingent upon the users' diligence in getting answers on the SAS 70 filings and on other pertinent considerations listed above. Professional judgment and skepticism certainly do have their place in this decision. The smart cloud computing provider can and will provide detailed answers to these questions - more than just a yes/no.
A competent cloud computing provider should be as convincing as a properly managed bank that has the 100% confidence of its depositors that the money belongs in the bank and not under a mattress.
Finally, the smart accounting practitioner always talks to his clients. The simplest question to ask the client is, "Are you okay with your information being worked on in the cloud?" Even if the accounting practitioner has made all the right choices for a cloud computing provider, the client may not be convinced. Maybe, with all of the technological abilities of today's computers, it will not be tragic if a percentage of the practice's revenues get worked on an in office computer and backed up on a removable hard drive that gets stored in a bank safety deposit box.
It looks like the chorus to the classic 1965 tune by the Rolling Stones has a whole new meaning to it.
About the author:
Peter Budreski has been a Chartered Accountant for over 25 years based in Halifax, Nova Scotia. He is president of TCOB Computer Solutions and a vice president of Certified Software Labs Inc., based in Toronto, Ontario.
TCOB's mission statement states that it provides clients with the most efficient means of dealing with accounting data, the maximum useful information from their accounting systems, and a view to more effective utilization of resources through training and technology implementation in a simplified manner.
Peter is an AccountEdge Certified Consultant and a Certified QuickBooks ProAdvisor.,
Peter can be found under Twitter at pbudreski and LinkedIn under http://ca.linkedin.com/in/pbudreski
The author would like to gives special thanks to Alex Teu, Vice President of Business Development, Leapfile and Oxygen Cloud for his contributions.