What CPAs need to know about Cloud security

By Jeff Onesto

No computing environment is completely secure. However, some environments are more secure than others.
The American Institute of Certified Public Accountants' (AICPA) 2010 Top Technology Initiatives (TTI) survey ranks data security as the topconsideration driving businesses today. What is most interesting about the survey is the scope now includes both internal firm and external client technology initiatives. CPAs might want to brush up on security basics specifically as they relate to "Cloud" applications as many clients are turning to their trusted business advisor for guidance.
Thanks to our friends at Enron, many companies must now comply with Section 404 of The U.S. Sarbanes-Oxley (SOX) Act. The act requires annual assessment of internal controls over financial reporting.  Both the Committee of Sponsoring Organizations (COSO) and Information System Auditor and Control Association (COBIT) frameworks are supposed to enable clear policy development and good practice for financial reporting and information technology controls.
When it comes to Cloud security, the testing of financial reporting controls provides little assurance in regard to availability, reliability, confidentiality, and integrity of data. The COBIT Framework, built in part upon the COSO Framework provides management some additional tools to assess and measure the performance of 34 information technology processes.
Both frameworks are non-specific by design and do not compete with each other. The newest framework on the block comes from the International Organization for Standardization (ISO) and the International Electro-technical Commission (IEC). The ISO27001 framework specifically addresses information security, however, no framework as of yet is specific to Cloud environments.
Independent reports
The most popular independent audit reports for Cloud environments is the Statement of Auditing Standards No. 70 (SAS70), which, as of this April, has been replaced by Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization. SSAE 16 is effective for service auditor's reports for periods ending on or after June 15, 2011. In the SAS70 audit engagement, the auditor provides assurance to users and specifically users’ auditors, in respect to the service organization's internal controls. The SAS70 audit addresses whether internal controls and procedures were suitably and properly designed, put into operation, and are operating effectively.
The SAS70 audit does not rate a company's internal controls against a particular set of defined security best practices. In matter of fact, if a company designed poor controls that work as designed, the report would state just that without calling attention to the fact the controls were indeed poorly designed.  
The new Trust Services audit engagement from the AICPA is gaining popularity. In the Trust Services audit engagement, the auditor provides assurance that an organization's systems controls meet one or more of the Trust Services principles and related criteria. In a Trust Services audit engagement, the auditor tests and evaluates as to whether a particular system is reliable when evaluated against the essential principles of availability, integrity, security, privacy, and confidentiality.
The Trust Services audit provides a report of the system reliability and, unlike the SAS70, uses a predefined set of criteria and principles for all types of audit engagements. The Trust Services audit report is intended to offer assurance to a broad audience – management, boards of directors, customers, and business partners.
Bottom line
The chief information security officer (CISO) has various frameworks and independent reporting options from which to select. As any great chef knows, a good recipe doesn’t always guarantee a good meal. The fact that Salesforce.com became one of the first Software-as-a-Service (SaaS) applications to become certified under the ISO27001 should highlight the fact that the market is changing.
It is up to trusted business advisors such as CPAs to help educate users of SaaS applications which combination of frameworks and independent audit engagements are needed to address concerns around security, privacy, availability, or confidentiality.
About the author:
Jeff Onesto, CPA, is director of product management for a SaaS accounting solution provider. His prior experience consists of Big Six consulting, enterprise software sales and delivery, product marketing, and bringing Web 2.0 solutions to the mid-market.
Related articles:

You may like these other stories...

Event Date: May 29, 2014 In this presentation Excel expert David Ringstrom, CPA brings you up to speed on the Excel feature you should be using, but probably aren't. The Table feature offers the ability to both...
No field likes its buzzwords more than technology, and one of today's leading terms is "the cloud." But it's not just a matter of knowing what's fashionable. Accounting professionals who know how to use...
There is a growing trend of accountants moving away from traditional compliance work to more advisory work. Client demand is there, but it is up to the accountants to capitalize on that. What should accountants' roles be...

Upcoming CPE Webinars

Apr 22
Is everyone at your organization meeting your client service expectations? Let client service expert, Kristen Rampe, CPA help you establish a reputation of top-tier service in every facet of your firm during this one hour webinar.
Apr 24
In this session Excel expert David Ringstrom, CPA introduces you to a powerful but underutilized macro feature in Excel.
Apr 25
This material focuses on the principles of accounting for non-profit organizations' revenues. It will include discussions of revenue recognition for cash and non-cash contributions as well as other revenues commonly received by non-profit organizations.
Apr 30
During the second session of a four-part series on Individual Leadership, the focus will be on time management- a critical success factor for effective leadership. Each person has 24 hours of time to spend each day; the key is making wise investments and knowing what investments yield the greatest return.