TBS Business Intelligence
Business Intelligence
SAS 70, SSAE 16, SOC2 and Data Center Standards
Editor's Note: The AICPA's audit program for service providers presents Cloud Computing customers with an alphabet soup of choices. In this informative overview Mr. Klein provides real insight into the best assurance standard for Cloud Services and Data Centers -- the AICPA's SSAE16-SOC2. He writes: "SOC 2 provides much more stringent audit requirements with a stronger set of controls specifically designed around data center service organizations. SOC 2 provides what was missing in the SAS 70 – a standard benchmark by which two data center audits can be compared against the same set of criteria. SOC 2 is a welcome standard to our industry. It will raise the bar for some, and allow others to shine under the stringent processes they already have in place."
Recently, our data center auditors, UHY LLP, presented us with an update on what’s going on in the world of SAS 70, SSAE 16, SOC 2 and SOC 3 auditing standards for data centers. There is still a lot of confusion around these standards and they still seem to be evolving, so I’m writing this article with the effort to capture the status of these standards as succinctly as possible.
SAS 70 (Statement on Auditing Standards No. 70) has been around for nearly 20 years. First released in 1992, it has been the gold standard for data center users to assure that their data center is secure and operating under proper control systems. According to the American Institute of CPAs (AICPA), SAS 70 was never designed to be used by service organizations in this manner. It was focused on internal controls over financial reporting.
SOC2: Expanding Service Organization Controls Reporting
Editor's Note: In this lengthy piece from The Journal of Accountancy, Mr. Halterman explains that the AICPA's SSAE16-SOC2 assurance standard is the right one for Cloud Computing service providers. He writes: "SOC 2 engagements are designed to meet the needs of user entities and other stakeholders by providing service organizations with criteria for describing their systems, criteria for evaluating the suitability of design and operating effectiveness of the service organization’s controls, and an independent CPA’s opinion on the description of the system and the design and operating effectiveness of the service organization’s controls. Examples of service organizations include cloud computing providers, payroll processors, information security service providers and information service providers."
Several prominent internal control breakdowns and increased focus on internal control by regulators, boards of directors and others charged with governance have led to increased demand for attestation reports on controls over subject matter other than financial reporting provided by an independent CPA. Neither Statement on Auditing Standards (SAS) no. 70, Service Organizations, nor the new standard that replaced SAS no. 70, Statement on Standards for Attestation Engagements (SSAE) no. 16, Reporting on Controls at a Service Organization, is intended to address controls relevant to these risks.
In response to this demand, the AICPA has developed the Service Organization Control (SOC) reporting framework. The framework is designed to help service organizations, their customers and CPAs understand the types of examination reports a CPA can issue related to service organization controls. The AICPA also has published new guidance for attestation reports to help meet this growing demand for internal control reporting.
The SOC (commonly pronounced “sock”) framework includes three reporting options. This article focuses on SOC 2 reports and engagements and provides some additional information on SOC 3 engagements.
SOC 1 engagements are performed in accordance with SSAE no. 16 and focus solely on controls at a service organization that are likely to be relevant to an audit of a customer’s financial statements.
SOC 2 engagements are performed in accordance with AT section 101, Attest Engagements, using the guidance provided in the Guide Reporting on Controls at a Service Organization Relevant to Security Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2) (the SOC 2 Guide).
A Googler Explains The Best Cloud Services Model
Microsoft's current competitor to Google Apps, known as BPOS, suffered a three-hour outage this morning.
During the outage, Microsoft explained via Twitter that the next version of its cloud services for business, Office 365, has been rebuilt from the ground up to be more reliable.
Why did Microsoft have to do this?
Google Apps leader Rajen Sheth has a theory.
Sheth explains that Gmail and Google Apps were designed and launched more than five years ago as a multitenant solution. That means that that the service itself and underlying data is automatically distributed among thousands of physical machines.
Google argues this is a much better way of doing things, delivering Reliability, Cost-Savings and Automatic Updates.
Can Cloud Computing Save The American Economy?
We have spent trillions of dollars worldwide for the computers to create and process information, networks to move it around and the hardware to store it. But we are at a point where we spend 60 to 70% of “IT” budgets just to maintain those systems and infrastructures. No wonder progress in applying IT is so slow. This is the technology equivalent of every organization in the world, big or small, investing the capital and human resources to build and operate their own electricity producing power plants.
But instead, picture a world where software platforms are available online and easily customizable. Picture a world where compute power is generated off site, available in quantities when and where you need it. And picture a world where information is safely stored, efficiently managed and accessible, when and where you need it.
These are cloud infrastructures.
Why you can quit worrying about cloud security.
At first blush, the cloud-first mandate that federal CIO Vivek Kundra announced late last year makes sense. By spurring agencies to send one application to the cloud in the next year and two more shortly after that, it offers a clear path for cutting IT costs and consolidating federal data centers — two long-standing goals of the Obama administration.
But digging deeper, agency CIOs find themselves facing a harsh reality: Are budget imperatives superseding equally valid concerns about the safety of government systems and data in today’s still-evolving cloud environments?
The answer depends in part on how quickly IT managers can enact new security techniques tailored for the cloud, some of which are still works in progress.
“We must push the envelope,” said James Williams, CIO at NASA’s Ames Research Center, which is developing the Nebula infrastructure as a service offering for the entire agency. “It's not so much about making the cloud secure but about using the cloud to leverage best practices in security across an enterprise.”
Gartner: Clouds, Virtualization Help Pay for IT Projects
A new survey of some 2,000 CIOs by analysis giant Gartner found that, although budgets are not growing yet as the recession recedes, they are looking hard at technologies such as cloud computing and virtualization to reduce IT costs and help to drive revenue growth.
Titled "Reimagining IT: The 2011 CIO Agenda," Gartner's survey sampled 2,014 CIOs who are in sum responsible for IT spending of $160 billion in 50 countries and 38 industries.
"The resource realities indicated in the 2011 CIO Agenda Survey raise the urgency and importance of adopting new infrastructure and operations technologies, such as cloud services and virtualization," Mark McDonald, head of research for Gartner Executive Programs, said in a statement.
"New lighter-weight technologies -- such as cloud computing, software as a service (SaaS), and social networks -- and IT models, enable the CIO to redefine IT, giving it a greater focus on growth and strategic impact," he added.
Gartner: Most CIOs have their heads in the clouds
What do CIOs care most about? Cloud computing, says Gartner. They see the cloud as opportunity to freeing up resources that will be reinvested in future growth. Gartner released the findings of its 2011 CIO Agenda survey on Friday.
According to Gartner, the typical IT organization invests two-thirds of its budget to daily operations. Moving to the cloud will fee up between 35 percent to a whopping 50 percent of operational and infrastructure resources for reallocation elsewhere.
"Over the next five years, CIOs expect dramatic changes in IT as they adopt new technologies and raise their contribution to competitive advantage," Mark McDonald, a Gartner research vice president said in a statement. "Leaders will implement new infrastructure technologies to achieve increased efficiency and to redirect IT resources to create greater business impact." Resulting changes will range from "re-imaging IT's role in their organization to the creative destruction necessary to break old practices and redeploy resources to new initiatives."
Saving Energy and Carbon in The Cloud.
Cloud computing—large-scale, shared IT systems infrastructure available over the internet—is transforming the way corporate IT services are delivered and managed. The cloud’s unprecedented economies of scale reduce overall cost and increase efficiencies, especially when replacing an organization’s locally operated on-premise servers. But do these advantages also translate to environmental benefits?
Microsoft has commissioned a lifecycle analysis (a study that calculates the environmental impacts of a product or service across its entire lifecycle), conducted by Accenture and WSP, that shows cloud computing has the potential to reduce a company's energy use and carbon emissions. This study shows that organizations choosing to run Microsoft’s Business Productivity Online Services, such as Exchange Online and SharePoint Online, or Microsoft Dynamics CRM Online can reduce energy use and their carbon emissions by at least 30% per user compared to an average on-premise installation of those applications.