< Back to all Compliance resources
Does it Rain in the Cloud? The Importance of Having an Umbrella Just in Case.
This whitepaper, by Mike Mellor and John Harder, Partners with Argy, Wiltse & Robinson PC's Business Consulting Group, demonstrates why it is best to be prepared when considering moving any aspect of your organization’s operations to the cloud. A key part of that vetting process should include the internal controls in place at the service provider and reviewing the results of any assurance services that have been performed over those controls.
No doubt, you have heard of or are somewhat familiar with the latest technology term to hit the mainstream business vernacular – cloud computing. In short, the term cloud is simply a reference to the internet; it is only when the term is combined with computing that things can start to get a little fuzzier.
For those of you that are not familiar with this new term it refers to organizing or provisioning a variety of computer resources using a computer network, most often with the end user having no knowledge of either the physical location or configuration of the computers that are being accessed or delivering the services requested. Cloud computing is a model for enabling convenient, on-demand access to a shared pool of computing resources; such as networks, servers, storage, or application services. One of the key characteristics of cloud computing is that data is processed in an often unspecified location. This is in contrast to the client-server model, which we have all become familiar with over the past 20 years, where data processing occurs on one or more known specific servers.
Business applications are moving to the cloud with increasing frequency and the trend is likely to continue at a growing pace. For businesses, the attraction to cloud computing is simple. The cloud operates like a utility in many respects and you only pay for what you use. The costs and challenges of managing a large IT department can be significantly reduced because the hardware, software maintenance, security, and management are in the cloud and outsourced to a vendor. In fact, the most recent innovations in cloud computing allow for business applications to become more mobile and interactive, much like what we are experiencing with consumer applications such as Facebook, Twitter and the literally hundreds of applications available to you through your Smartphone application store.
The forecast for the cloud appears to be mostly sunny, with warm yet mild breezes and consistently pleasant and enjoyable. My question is, does the forecast ever change, and does it rain in the cloud? If so, what type of protection do you need for potentially inclement weather in the cloud?
The risks of cloud computing include not only the same risks present in a traditional client-server model environment, but also increased access and security concerns. For example, one of the benefits of cloud computing is not having to worry about backing up data anymore. However, cloud-computing vendors must demonstrate how their hundreds of servers are really more reliable than your external hard drive. Servers do go down and when using a web application to access your data or process transactions there is the risk that you will not be able to accomplish what you need to in the time frame that you need to accomplish it.
Simply said, when you are operating in the cloud you are relying on a third party who can make decisions about your data, platform and applications that will impact your operations, goals and objectives. While the benefits offered by cloud computing are numerous, any organization looking to move all or a part of their IT operating environment to the cloud needs to consider the risks involved.
In evaluating the decision to move to the cloud, IT managers should evaluate the risk benefit ratio. Some of the more common benefits and risks to be considered are noted in chart below:
| Benefits | Potential Risks |
|
|
Key Considerations
In evaluating the decision to move to the cloud decision makers should consider not only the benefits and related risks, but also the level of assurance that their service providers are able to offer relative to the following:
- Transparency
- Privacy
- Compliance
- Certification
In evaluating a potential cloud computing service provider, internal controls are an all important consideration. Your cloud vendor should be able to provide you with a level of assurance about what they are doing and how they are doing it. Independent assurance from third party assurance reports, such as a SAS 70 or SSAE 16 reports will be a critical point of evaluation in making the final decision on which service provider to choose.
Recently, the rules regarding third party assurance have changed. Historically, guidance for Certified Public Accountants (CPA’s) reporting on internal controls at a service organization, such as a cloud computing service provider, was dictated by Statement on Auditing Standards No. 70 (SAS 70). When companies outsource tasks and functions to a service organization, many of the risks of the service organization become the risks of the user entities. With increased regulation and an ever increasing focus on internal controls, (eg., Sarbanes Oxley, and HIPPA) user entities are increasingly performing more due diligence for prospective service providers as well as governance and oversight of existing service providers.
Recently, in response to dynamic changes in the marketplace, the American Institute of Certified Public Accountants (AICPA) issued a new framework for CPA’s to examine controls and to help management at user entities understand and evaluate risks.
The AICPA has established three Service Organizational Control (SOC) reporting options (SOC1, SOC2, and SOC3 reports).
- SOC 1 engagements are performed in accordance with Statement on Standards for Attestation Engagements No. 16 (SSAE 16), Reporting on controls at a Service Organization. SOC 1 reports focus solely on controls at a service organization that are likely to be relevant to an audit of a user entity’s financial statements.
- SOC2 and SOC 3 engagements address controls at service organizations that relate to operations and compliance, and will commonly include such things as security, availability, processing, integrity, confidentiality or privacy. With the some of the potential risks an entity may encounter with moving to the cloud SOC 2 and 3 engagements might prove to more common.
By engaging an independent CPA to examine and report on a service organization’s controls, service organizations can respond to meet the needs and concerns of user entities. A user entity needs to obtain an objective evaluation of a service organization’s controls over operations and compliance as part of their consideration of engaging that service provider.
So in conclusion, yes it does periodically rain in the cloud? However, when there is a hint of uncertainty in any forecast, it is best to be prepared. When considering moving any aspect of your organization’s operations to the cloud you should undertake a process to fully vet any and all potential service providers. A key part of that vetting process should include the internal controls in place at the service provider and reviewing the results of any assurance services that have been performed over those controls.
Argy, Wiltse & Robinson, PC is a full service public accounting firm headquartered in McLean, Virginia with expertise in assisting companies in evaluating their current and planned IT needs as well as providing Third Party Assurance services, like those described above, to service organizations.
