Internal Control Over Financial Reporting and the Cloud
By 2020, 40 percent of digital information is expected to be created in the Cloud, delivered to the Cloud, or stored and manipulated in the Cloud. It is clear that the Cloud is here to stay. As a large scale version of outsourcing Cloud computing will create new challenges and complications for management and auditors. After the replacement of SAS 70 with SSAE 16 , (similar to the ISAE 3402), most Cloud Service Providers will provide assurances to the Cloud Service Users within the framework of attestation standards instead of auditing standards. Outsourcing presents some challenges in itself and Cloud computing further complicates those challenges. The new framework allows three different deployment models in the form of SOC 1, SOC 2 and SOC 3. It is crucial that cloud service providers and cloud service users and their auditors should carefully consider alternative Service Organization Controls (SOC) deployment models. Unfortunately, many cloud providers are opting out for SOC 1 leaving little room for the development of SOC 2 reports. The right SOC deployment model for the Cloud is SOC 2 or SOC 3. (fragment of text)
- IDC, 2011, http://idcdocseiv.com/1414.
- NIST, 2011, Special Publication 800-145, January, www.nist.gov.
- www.cloudlock.com/blog/cloudloek-completes-soc-2-type-2-certification-elevating-the- standard-for-securing-information-in-the-cloud.