As we all know, when you outsource services to a third-party provider, its risks become your risks. This was already a significant area of concern for clients and potential clients before the advent of cloud computing, and apprehension about the safety of their and their clients’ data has probably been the biggest barrier to the adoption of the cloud to date. However, the adoption of new accounting standards for reporting on service providers’ control environments should help reduce cloud client concerns.
In 1992, the American Institute of Certified Public Accountants (AICPA) issued Statement on Auditing Standards 70, Service Organizations, commonly referred to as SAS 70. SAS 70 was intended to be an auditing framework and process for a service provider to deliver to its customers a report on how its control environment could potentially impact its customers’ financial statement reporting. In the ensuing years, as organizations have become increasingly concerned about compliance and operational risks, SAS 70 has often been misused as an assurance regarding a service provider’s controls around security, privacy, and operations. As SAS 70 was NEVER intended to do this, its use for this purpose actually placed clients at greater risk. The emergence of cloud computing has amplified this abuse, with vendors routinely integrating claims of “SAS 70 compliant” and “SAS 70 certified” into their sales and marketing IP.
The AICPA recognized the problems that could result from this misuse of SAS 70, and has taken steps to establish new rules and reporting frameworks to address all aspects of a service provider’s controls environment, not just those that might impact the integrity of financial reporting. Last year it introduced Statement on Standards for Attestation Engagements 16, Reporting on Controls at a Service Organization, referred to as SSAE 16, as well as a framework for reporting on Service Organization Controls for service provider organizations. The AICPA mandated suppliers officially comply as of June 15, 2011. Although SSAE 16, as did SAS 70, only focuses on controls that impact client financial statement integrity, it incorporates several improvements. These include, but are not limited to, a focus on the service provider’s system of controls versus the vaguer concept of controls, and requirement of a written attestation from the service provider’s management. The new framework consists of three different Service Organization Control (SOC) Reports, as described below:
Just as with SAS 70, there are two types of SOC reporting engagements. In a type 1, the auditor attests that the system or systems were suitably designed as of a specific point in time. In a type 2 engagement, the auditor attests that the systems or systems were operating effectively over a specified time period. Only SOC 1 or SOC 2 reports can be issued in a type 2 engagement.
Summary and Recommendations
The AICPA has done the global services industry a big favor by replacing SAS 70 with its new service organization controls framework. If clients develop a firm grounding in this new framework and its reporting options, they can utilize it to significantly decrease their risk in transferring any type of work to a service provider. When you consider the increased risks related to data security, privacy, and operational integrity involved with moving work to a cloud service provider, the benefits are amplified. This may provide those not previously comfortable with the concept of public or hybrid cloud computing services with a large enough comfort level to reconsider their options.
Given that there are multiple types of engagements and reporting options, there are myriad potential options for leveraging this new controls reporting framework. Thus, global services buyers need to understand and carefully consider their options. At a minimum, cloud services buyers should expect at least SOC 1 and SOC 3 reports based on a type 1 engagement. If they are moving work that involves high volumes and/or significant operational risk, they should go for SOC 1 and SOC 2 reports based on a type 2 engagement. And a word to the wise for those considering the cloud – attain proof that potential providers are SSAE compliant or certified, and be wary of those still touting SAS 70 credentials.