Compliance Audits: Do They Matter? YES!

AIS-Frank-GaffIf you knew the FDIC did not insure your bank, would you still put your nest egg there for safekeeping?
If you knew your auto’s air bag was turned off, would you continue to drive on the freeway?
And lastly, if you knew your cloud service provider or hosting provider had not been through a compliance audit, would you be able to convince your internal and/or external auditors that you should continue to process and store your company’s or client’s financial or critical data at that provider?
Not likely!
If you are the CFO or CEO of a publicly-traded company, you already are aware of the Sarbanes-Oxley act of 2002. You may not be aware that Section 404 of that act requires you to publish information in your annual report concerning the scope and adequacy of the internal control structure and procedures for financial reporting.
The report must also assess the effectiveness of the stated controls and procedures. In addition, your public accounting firm must attest to and report on the effectiveness of the internal control structure and procedures for financial reporting. That attestation also applies to the control structure of your colocation or cloud service provider.
What about privately-held companies?
While there may be no legal requirements like Sarbanes-Oxley to worry about, you may find your privately-held company providing services to a publicly-held company.
Let’s say you are a managed service provide (MSP) or accounting company and you host your clients in a third-party data center. Depending on the services you offer, you may be asked to provide a report that validates that you are hosted in a data center that has successfully completed one or more compliance audits. Failure to provide an audited compliance report to your clients when requested may lead to a loss of current business and a barrier to new opportunities.
SOC-Service Org_B_Marks_2c_WebIf you are planning to leverage the cloud infrastructure offered by a cloud service provider, you should be concerned about the operational attributes of the provider. If your multi-tenant data center provider has been in business for awhile, they most likely have a track record of successfully completing an annual American Institute of Certified Public Accounts (AICPA) Statement on Auditing Standards (SAS) 70 report on their internal controls.
In existence since 1992, the SAS 70 standard was replaced on June 15, 2011 with a more comprehensive AICPA standard: Statement on Standards for Attestation Engagement (SSAE) 16.
While we will save the review of the differences between SAS 70 and SSAE 16 for a later article, we will point out a few things to be concerned about:

  • If your cloud service provider is touting compliance with SAS 70, they have not had an auditor’s review of their controls environment in over a year and they are clearly “out of compliance.”
  • If your cloud service is only able to claim compliance with SSAE 16 SOC 1, they have merely migrated to the equivalent of the old SAS 70.

In either case, your cloud service provider has not demonstrated that they have implemented the additional internal controls (security and availability) required by cloud users today.
One final point: If your cloud service provider has neither a SAS 70 nor a SSAE 16 audited report (and companies like that are out there), you may be at risk.
For information on AICPA Service Organization Control (SOC) Reports, please go here.
About the Author
Frank Gaff is VP of Service Assurance and Chief Compliance Officer. He has over 30 years of experience in IT, data center, and telecommunications operations. At AIS, he is responsible for the Service Delivery and Client Services organization, managing the client experience from order entry to service implementation and on-going 24x7x365 client support.
Mr. Gaff took over responsibility for compliance and drove company efforts to complete the SSAE 16 SOC 1 Type 2, the SSAE 16 SOC 2 Type 2, and the SSAE 16 SOC 3 audits for our San Diego and Phoenix enterprise-class data centers. He also spearheaded the AIS Change Management and Incident Management procedures that were developed and implemented using the Information Technology Infrastructure Library (ITIL) architecture.