more-arw search

Q&A Forum

Are data in the 'cloud' readily auditable? (Webinar Attendee Question)

With so many questions about security and reliability in the cloud, is data held there really "auditable"?

This question was asked by an attendee during the Proformative webinar "How New Technologies are Changing the Role of Finance" held on November 6, 2012.  A video of the webinar can be viewed here: https://www.proformative.com/resources/webinar-video-how-new-technologies-are-changing-role-finance

Answers

Topic Expert
Barrett Peterson
Title: Senior Manager, Actg Stnds & Analysis
Company: TTX
(Senior Manager, Actg Stnds & Analysis, TTX) |

Yes, as much as with any software application, regardless of where hosted. Relate document management processes and other controls will also be important. You will likely need an internal controls (SSAE 16) report from your provider.

Donald Koscheka
Title: Principal
Company: Bluecloud Communications
(Principal, Bluecloud Communications) |

Microsoft has recognized this need with SharePoint - its document management system (also available in an online version). One issue with auditability is access permissions - do auditors have the appropriate permissions to review information online. SharePoint provides for an 'auditors' security group that provides specific access to content regardless of the permissions that have been put on that content.

James Ang
Title: Marketing Manager
Company: Baker Tilly
(Marketing Manager, Baker Tilly) |

Contribution by Chris Tait, MBA, CISA, CFSA - Director
at Baker Tilly Virchow Krause, LLP:

Basically, our advice to our clients is to follow good vendor management principles. Those haven’t changed in a long time, however the types of assurance one can get have changed to keep up with the constantly moving landscape.

1. Assurance – the AICPA created new assurance standards to commonly referred to as SSAE16 or SOC reports. Service Organization Control (SOC) reports are internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service.
- http://www.bakertilly.com/SOC-reporting
- http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/SORHome.aspx

2. Security – ISO Certifications are very common (ISO 2700x)

3. Cloud Specific – the Cloud Security Alliance (https://cloudsecurityalliance.org/) are pushing very hard for transparency and self attestation in the arena. Big players like Microsoft and Amazon.com are on board.
Key items of note:
- CSA STAR (Security, Trust and Assurance Registry) - https://cloudsecurityalliance.org/star/
This is not the Holy Grail – but gets at the root of a push for transparency and sharing of information
- They have developed a could framework called the CCM (Cloud Control Matrix) – very cool stuff and free to download and use as a part of your normal audit / assurance procedures
- Work with your provider to get disclosures and information that you need to be comfortable. Keep asking and be inquisitive.

Anonymous
(Sales Representative) |

Having your data hosted won't prevent you in any way from performing an audit. In many instances, having your data within a hosted environment allows for the audit to be completed sooner and with less disruption to your business as the auditing party can gain access to the data within the ‘live’ environment.

Naturally, security remains the upmost. Therefore, you want to ensure the hosting provider is SSAE16 certified as well as an approved Intuit Commercial Hosting Provider should you choose to have your QuickBooks hosted. Many of the approved Commercial Hosting Providers can also provide you with their most recent SOC reports for your review. Additionally, when considering migrating to a hosted environment implementation of the provider's infrastructure is pivotal as poor design can be catalyst to increased downtime and poor performance.

In researching various commercial providers, I have found Right Networks to offer the most reliable and scalable solution.

(Agent, JKS Solutions, Inc.) |

Cloud9 is also a compliant hosting solution.

2647 views
Topics
Products and Companies

Get Free Membership

By signing up, you will receive emails from Proformative regarding Proformative programs, events, community news and activity. You can withdraw your consent at any time. Contact Us.

Business Exchange

Browse the Business Exchange to find information, resources and peer reviews to help you select the right solution for your business.

Learn more

Contribute to Community

If you’re interested in learning more about contributing to your Proformative community, we have many ways for you to get involved. Please email content@proformative.com to learn more about becoming a speaker or contributing to the blogs/Q&A Forum.