Looking for a CSP? Why Compliance Reports Matter

If you knew the FDIC did not insure your bank, would you still put your nest egg there for safekeeping? If you knew your auto’s air bag was turned off, would you continue to drive on the freeway?
And lastly, if you knew your cloud service provider (CSP) or hosting provider had not been through a compliance audit, would you be able to convince your internal and/or external auditors that you should continue to process and store your company’s or client’s financial or critical data at that provider?
Not likely!
If you are the CFO or CEO of a publicly-traded company, you already are aware of the Sarbanes-Oxley act of 2002. You may not be aware that Section 404 of that act requires you to publish information in your annual report concerning the scope and adequacy of the internal control structure and procedures for financial reporting.
The report must also assess the effectiveness of the stated controls and procedures. In addition, your public accounting firm must attest to and report on the effectiveness of the internal control structure and procedures for financial reporting. That attestation also applies to the control structure of your colocation service provider (CSP).
What about privately-held companies?
While there may be no legal requirements, like Sarbanes-Oxley to worry about, you may find your company providing services to a public company.
Let’s say you are a managed service provide (MSP) or accounting company and host your clients in a third party data center. Depending on the services you provide, you may be asked to provide a report that validates that you are hosted in a data center that has successfully completed one or more compliance audits. Failure to provide an audited compliance report to your clients when requested may lead to a loss of current business and a barrier to new opportunities.
If you are planning to leverage the cloud infrastructure offered by a CSP, you should be concerned about the operational attributes of the provider. If your multi-tenant data center provider has been in business for a while, they most likely have a track record of successfully completing an annual American Institute of Certified Public Accounts (AICPA) Statement on Auditing Standards (SAS) 70 report on their internal controls.
In existence since 1992, the SAS 70 standard was replaced on June 15, 2011 with a more comprehensive AICPA standard: Statement on Standards for Attestation Engagement (SSAE) 16.
While we will save the review of the differences between SAS 70 and SSAE 16 for a later article we will point out a few things to be concerned about:

  • If your CSP is touting compliance with SAS 70, they have not had an auditor's review of their controls environment in over a year and they are clearly “out of compliance.”
  • If your CSP is only able to claim compliance with SSAE 16 SOC 1, they have merely migrated to the equivalent of the old SAS 70.

In either case, your CSP has not demonstrated that they have implemented the additional internal controls (security and availability) required by cloud users today.
One final point: If your CSP has neither a SAS 70 nor a SSAE 16 audited report (and companies like that are out there) to provide you, the customer, with the assurance they have the stringent controls in place required for today’s CSPs, you may be at risk.
For information on AICPA Service Organization Control (SOC) Reports, please go here.
This post was written by Frank Gaff, AIS Vice President of Service Assurance and Chief Compliance Officer.