Case Analysis Study Essay
scm41
CloudComputing.pdf
InFocus
By Meredith Stein, Vincent Campitelli, and Steven Mezzio
JUNE 2020 / THE CPA JOURNAL20
A fourth Industrial Revolution is underway glob- ally; a digital revolution driven by the rapid, wide-scale deployment of digital technolo- gies, such as in high-speed mobile Internet capabilities, artificial intelligence (AI), and
machine learning. Cloud computing is at the vanguard of this transformation. As a result, organizations of all sizes, sectors, and geographies have substantially and rapidly increased their use of cloud computing. According to Gartner (2019), more than one-third of organizations see cloud investments as a top-three priority. The public cloud services market is projected to reach a staggering $266 billion in 2020.
One driver in this proliferation and widespread use of cloud computing is the current digital transformation. In a 2016 address, Microsoft CEO Satya Nadella advanced this enduring description of digital transformation: “becoming more engaged with their customers, empowering their employees, optimizing how they run their business opera- tions and transforming the products and services they offer using digital content.” Such benefits from a cloud computing perspective include managing and outsourcing costly and difficult-to-update and -manage in-house IT infrastructure;
streamlining and scaling storage, software, and application support; increasing speed and processing; reducing costs. As a result, organizations of all sizes, geographies and sectors, including CPA firms and their clients, are developing their own private cloud or purchasing public cloud services from cloud service providers (CSP), such as Microsoft Azure and Amazon AWS.
While such potential benefits are compelling, market intelligence reveals that cloud computing exacerbates risks and creates new and unexpected risks. For example, a cloud security breach exposed the names, addresses, and account details of as many as 14 million U.S.-based Verizon cus- tomers. In this context, one can only imagine the potential cloud-related cybersecurity breaches and service failures that may emerge from the unexpected disruption and rapid transformation to remote working caused by the current coronavirus (COVID-19) pandemic. On the one hand, workers unexpectedly transitioning to remote working have been enabled in part by cloud computing to immediately, rapidly, and seamlessly access necessary data, software, and applications. On the other hand, such an unanticipated disruption and rapid transformation has exacerbated existing risks and created new risks as workers access data from remote locations; for example, breaches in data confidenti- ality, unauthorized access, and system availability failures.
This disruptive cloud paradigm raises questions from the corporate boards, managers, regulators, and assurance pro- viders concerning cloud strategy, performance, risks, and controls. Such questions include: the scope and location of cloud activities; the implications of dependency on a web of cloud solution provider (CSP) vendors; reputation, intellec- tual property, financial statement and market trust vulnera- bilities; global jurisdiction regulatory compliance; as well as the adequacy of risk management, cybersecurity, audit, and change management. This article looks at cloud computing opportunities, risks, and resiliency strategies, including
Perspectives on Vulnerabilities, ERM, and Audit Services
Managing the Impact of Cloud Computing
Cloud computing is in the vanguard of a global digital transformation. This article looks at how to identify cloud computing opportunities and operationalize cloud activities. It also defines the stakeholders involved in the enterprise’s risk management strategy and shared responsibility model. Finally, the article provides advice on how to manage the disruption caused by the adoption of cloud computing.
IN BRIEF
02-06-2020 Infocus-Mezzio.indd 20 6/28/20 5:16 PM
JUNE 2020 / THE CPA JOURNAL 21
02-06-2020 Infocus-Mezzio.indd 21 6/28/20 5:17 PM
enterprise risk management, CPA firm assurance, and change management.
The Cloud’s Impact The National Institute of Standards
and Technology (NIST) defines cloud computing as a means for enabling on-demand access to shared pools of configurable computing resources (e.g., networks, servers, storage applications, services) that can be rapidly provisioned and released. In simple terms, the cloud is a massive cluster of super-sized serv- ers housed in locations scattered around the globe (i.e., cloud farms). Cloud farms are operated by CSP vendors such as Amazon AWS; these vendors provide a range of hosting services.
Some organizations are adopting a cloud-first strategy for new sys- tems or when replacing systems. Popular cloud deployment mod- els include private clouds, public clouds, hybrid clouds, and community clouds; Exhibit 1 defines each model. Popular CSP cloud services include Infrastructure as a Service (IaaS), Software as a Service (SaaS), and Platform as a Service (PaaS); Exhibit 2 defines each service. Pay-as-you-go
(i.e., when customers are billed based on their levels of usage) is a popular pricing model.
Cloud computing also changes organizations. According to Deloitte (2020), “Executives extend the enter- prise every time they use a cloud service, outsource a business pro- cess, or otherwise spread operations beyond the traditional four walls of their organization.” In a cloud computing context, this “extended enterprise” creates a complex web of distributed, interconnected, and interdependent shared-responsibility participants, including employees (i.e., first party), customers (i.e., sec- ond party), vendors, and their hired subcontractors (i.e., third, fourth, and fifth parties). Exhibit 3 depicts this web of extended relationships.
The cloud also democratizes and decentralizes IT activities—that is, non- IT employees are capable of developing applications and given the authority to contract directly with CSPs outside of the centralized IT procurement process.
Cloud-driven changes, such as the following, also impact the CFO organization.
A c c o u n t i n g — F A S B i s s u e d Accounting Standards Update 2018- 15, Intangibles—Goodwill and Other— Internal-Use Software (Subtopic 350-40): Customer’s Accounting for Implementation Costs Incurred in a Cloud Computing Service Arrangement that is a Service Contract, to provide guidance on accounting for cloud com- puting arrangements.
Tax—States are issuing and updating regulations on the taxability of CSP vendor transactions.
Compliance with Regulations (e.g., Health Insurance Portability and Accountability Act [HIPAA], Sarbanes- Oxley Act [SOX])—The use of CSPs creates a shared-responsibility model, requiring a contractual definition of responsibilities for controls and assur- ance rights.
The cloud also exacerbates exist- ing risks, creates new and unexpect- ed risks, and stretches the limits of governance, risk management, cybersecurity, internal audit, assur- ance, and change management. For CPA firms and their clients, this cloud disruption requires a what- can-go-wrong analysis.
InFocus
22 JUNE 2020 / THE CPA JOURNAL
Cloud Deployment Model Description
Single and Multi-Public Cloud
Available to the public Owned and operated by a third-party CSP
Single and Multi-Private Cloud
Set up for one organization, Almay; involves multiple customers within that organization May be on or off premises
Community Cloud Available to the public Shared by several organizations and supports a specific community that has shared
requirements May be managed by the organizations or a third party May exist on or off premises
Hybrid Cloud A composite of two or more of the three deployment models (private, community, or public) Bound together by technology that enables data and application portability
Exhibit 1
Cloud Computing Services Deployment Models, per NIST
CSP=cloud service provider; NIST, National Institute of Standards and Technology
02-06-2020 Infocus-Mezzio.indd 22 6/28/20 5:18 PM
JUNE 2020 / THE CPA JOURNAL 23
The Dark Side of the Cloud? As far back as 2013, McKinsey
warned, “Large institutions, which have many types of sensitive information to protect and many cloud solutions to choose from, must balance potential benefits against, for instance, risks of breaches of data confidentiality, identity and access integrity, and sys- tem availability.” More recently, IDC (2018) reported that 50% of security professionals spend most of their time securing the cloud. In 2019, the Cloud Security Alliance (CSA) advanced their top-11 cloud security threats. Exhibit 4 presents the CSA’s 11 threats.
In spite of such warnings, recent cloud-breaches such as the following continue to emerge:
Capital One—Exposed 80,000 bank accounts and over 1 million govern- ment identification numbers
Facebook—Exposed 540,000 records (identification numbers, account names, likes, and comments)
Instagram—Exposed 49 million records linked to private data such as e-mail addresses.
In 2019, Gartner advanced the fol- lowing predictions concerning cloud security:
Through 2024, the majority of enter- prises will continue to struggle with measuring cloud security risks.
Through 2025, 90% of the orga- nizations that fail to control public cloud use will inappropriately share sensitive data.
Through 2025, 99% of cloud security failures will be the customer’s fault.
The wave of breaches suggests cloud computing is risky; exacerbating risks (i.e., known-knowns), creating new risks (unknown-knowns), and unfore- seeable risks (unknown-unknowns). For example, consider the following service availability and cyber-risks associated with the geographic loca- tion of cloud servers a company is relying on:
Source of power—who owns it, distributes it?
Staffing—impact of unexpected events (e.g., pandemic); are the CSPs prepared?
Security of access, including espio- nage—who has internal access to files?
Hardened sites against radioactive dissemination—where is the backup, and is it accessed via satellite or under- water cable?
Human error, such as comingling of information, data dumps, and cleansing; how are such risks managed?
Sector-level regulations will play an important role in contributing to address- ing such risks. For example, a customized set of standards has been developed under the umbrella of the U.S. Federal Risk and Authorization Management Program (FedRAMP) to authorize the use of cloud services. HIPAA regulations that focus on governing cloud resources offered by a CSP are another sector example. The HIPAA Privacy, Security, and Breach Notification Rules establish important protections for individually identifiable health information when cre- ated, received, maintained, or transmitted by a HIPAA-covered entity or business associate (e.g., a CSP). For example, CSP-related SLAs should include provi- sions that address HIPAA-related require- ments, including system availability and reliability; backup and data recovery; the manner in which data will be returned to customers after service use termination and security responsibility; and use, reten- tion, and disclosure limitations.
Regulatory compliance alone will not suffice. To mitigate risk, an orga- nization should conduct a holistic, enterprise-wide what-can-go-wrong analysis, including an analysis of cyber- security risks and a single-point-of- failure risk analysis associated with their cloud ecosystem. A what-can-go- wrong analysis posits the question: Are CPA firms and their clients prepared to respond to cloud risks?
Enterprise Risk Management Perspectives
Cloud computing disrupts organiza- tions, calling into question its impact on governance, compliance, risk manage- ment, cybersecurity, audit and change management.
Cloud transparency. The KPMG Audit Committee Institute highlighted “understanding technology’s impact”— with a reference to cloud computing— as one of their seven items to consider for the audit committee’s 2020 agenda. In this context, an organization needs transparency into the nature, scope, and location of CSP vendors and the per- formance of their cloud activities. The board, senior management, and CPAs should ask the following questions:
What is our enterprise-wide cloud footprint?
Do we have an inventory of cloud activities?
Where are our servers, software, and applications?
Infrastructure as a service (IaaS)
The CSP delivers and manages the basic computing infrastruc- ture of servers, software, storage, and network equipment.
Platform as a service (PaaS)
The CSP delivers and manages the infrastructure, operating sys- tem, and programming tools and services, which the client can use to create applications.
Software as a service (SaaS)
The CSP delivers one or more applications and all the resources (operating system and programming tools) and underlying infra- structure, which the client can use on demand.
Exhibit 2
Three Primary Models of Cloud Services, per NIST
CSP=cloud service provider; NIST, National Institute of Standards and Technology
02-06-2020 Infocus-Mezzio.indd 23 6/28/20 5:19 PM
Who is responsible and accountable for cybersecurity, system recovery, and controls?
Is there a heat-map valuing data stored in private and public clouds, by location?
Are shared-responsibilities for performance, availability, cyberse- curity, and third-party assurance clearly defined and formalized in a service level agreement (SLA)?
Which global jurisdiction regula- tions are we subject to?
Do management, the board, CSPs, and auditors understand cloud risks?
What are the CSP contractual requirements and SLA terms and commitments? Who is accessing our data, and
why? Can they see our draft 10-K and trade secrets?
Do our primary CSPs subcontract our cloud needs to other CSP subcontractors (i.e., third- and fourth-party risk)?
Are other jurisdictions accessing our data and surveilling our activities?
Do accountants, lawyers, and other vendors safeguard access and stor- age of our data?
Is shared responsibility for risk management strategy, methods, and skills designed properly and operat- ing effectively?
Are we monitoring breaches and system failures on a continuous basis?
Are stakeholders effective and accountable to those who share responsibility for governance?
Are we conducting a top-down enterprise risk management assessment? While these questions may seem fun-
damental, market intelligence suggests that some organizations are unclear about the nature, scope, and locations of their cloud activities.
One reason for this is “shadow” IT activities. This refers to empowered employees scattered throughout the orga- nization that are adopting cloud services under the radar of the IT department. According to Gartner, most organizations grossly understate the number of shadow IT applications already in use. A contin- uously updated inventory of the current state of organization-wide cloud activi- ties is essential for conducting a holistic analysis of cloud performance and risk.
Cloud computing and ERM. The linkage of objectives and risks is a foundational premise of enterprise risk management (ERM) frameworks. The International Organization for Standardization (ISO) defines risk as “effect of uncertainty on objectives.” For cloud computing, such objectives may include privacy, availability, pro- ductivity, reliability, compliance, cost transparency, and cost savings. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) ERM framework, Enterprise Risk Management Integrating Strategy with Performance, DNS: https://www. coso.org/Documents/2017-COSO- ERM-Integrating-with-Strategy-and- Performance-Executive-Summary.pdf makes explicit the linkage of perfor- mance objectives and risk.
An ERM approach can also contribute to “cyber-resiliency”; the ability to rapid- ly and fully recovery from system failures and security breaches. In a 2020 finan- cial service industry report, Thomson Reuters identified cyber-resiliency as a key regulatory risk, asserting that, “senior individuals need to ensure cyber-risks are expressly included in the range of risks considered, and the board is prepared to discuss the actions taken to ensure all possible has been done to embed cyber-resilience throughout the firm.” The organization’s incident response plan, including plans for incident-han- dling and information-spilling response, should be an integral part of cyber-secu- rity policy and an ERM analysis. In sum- mary, an ERM analysis that integrates cloud computing can contribute to cloud performance; managing cloud risk; rapid, timely, and proper incident response; change management; and resiliency.
An ERM analysis will also assist CPA firms and other assurance provid- ers with identifying and assessing risks and controls, as well as the nature, tim- ing, and extent of audit and attestation procedures selected. Exhibit 5 presents an example of ERM analysis.
24 JUNE 2020 / THE CPA JOURNAL
InFocus
Exhibit 3 Extended Enterprise: Web of Data Sharing and Cloud Computing
Third-party vendors: CSP vendors and advisors (legal and assurance)
Fourth-party vendors: CSP subcontractors
Fifth-party vendors: Subcontractors of CSP vendors and staff of advisors
CPA Firm’s 3rd-Party
CSP
4th-party CSP Sub- contractor
5th-party CSP Subcontractor
4th-party CSP Sub- contractor
Law Firm’s 3d-Party
CSP CPA Firm
CSP Vendor
Law Firm
Law Firm Staff
CPA Firm Staff
Client
Legend
02-06-2020 Infocus-Mezzio.indd 24 6/28/20 5:19 PM
JUNE 2020 / THE CPA JOURNAL 25
CPA Firm Perspectives Cloud computing is disrupting CPA
firms, their clients, and the traditional norms of the external audit and qual- ity control. In its 2020–2021 Strategy Plan, the AICPA Auditing Standards Board (ASB) addressed this issue: “Rapid developments in technologies are having a profound effect on audit and assurance engagements, including the use of automated tools and tech- niques and changes in how engagement teams are structured and interact.” In Initiative D: “Keep our standards rel- evant in a changing environment,” the ASB commits to monitoring the use of innovative technologies and determin- ing whether the standards in place for the acceptance of clients and service performance are appropriate.
Cloud computing impacts CPA assur- ance providers in a range of ways—for example, obtaining an understanding of the audit client’s cloud environ- ment; identifying and assessing risks of material misstatement (RMM); defin- ing the role to be served by System Organization Control (SOC) reports; assessing the impact of the client’s and the firm’s cloud computing activities on the firm’s compliance with GAAS Quality Control (QC) Standards.
Client environment and the risk of material misstatement. Audit clients are increasingly moving some or all of their accounting systems and financial statement data to public clouds. This cloud transition introduces complexity, disruption, and risk.
For example, a cloud computing envi- ronment often integrates third-party CSPs and potentially fourth-party sub- contracted CSPs (Exhibit 3) into the client’s accounting system and control environment. Such a complex web of CSPs results in shared responsibili- ties between the client and CSPs for financial accounting data, cybersecurity, internal controls over financial reporting (ICFR), service organizations control (SOC) reporting, and assurance services.
Such material changes to the control environment and accounting system require auditors to obtain an understand- ing of the company’s environment and risks as a basis for assessing the risk of material misstatement (RMM) of the financial statements, as prescribed by PCAOB Auditing Standard (AS) 2110.
A prudent starting point for obtaining a preliminary understanding of a compa- ny’s cloud environment and risks is the analysis of the inventory of audit client cloud activities, including the nature and extent of third- and fourth-party CSP vendors and any material changes in such arrangements during the period under audit. The audit client will be the primary source for obtaining an understanding of the current state of the cloud. Market intelligence suggests, however, that some organizations may not have an up-to-date current state analysis of its cloud activi- ties. If documentation does not exist, this will impact (i.e., increase) RMM and may require additional audit procedures (e.g., walkthroughs), specialized cloud audit skills, and higher audit fees.
SOC Reports in a cloud environ- ment. SOC for Service Organizations are internal control reports on the third-party services provided by an outsourcing service organization (e.g., CSP). AICPA SOC Reports are subject to standards AT-C section 320 and SSAE 18. The following SOC Reports are available in
this category: SOC 1, SOC 2, SOC 3, and SOC for Cybersecurity. Exhibit 6 defines each report.
For audit clients with material cloud computing operations, the selection of report type, as well as the right to con- duct such services will be based upon a range of factors, including the type of the assurance service and the audit cli- ent’s cloud footprint, as well as the web of third- and fourth-party CSP vendors and shared control responsibility agree- ments and the terms of service-level agreements (SLA) with CSPs.
CPA firm QC. One of the six ele- ments of the AICPA quality con- trol (QC) standards deals with client acceptance and retention, requiring consideration of whether the CPA firm is “competent to perform the engagement and has the capabilities, including time and resources, to do so.” Another element is associated with human resources, requiring the CPA firm have “sufficient personnel with the competence and capabilities to perform engagements in accor- dance with professional standards and applicable legal and regulatory requirements.” To comply with these QC audit standards in a cloud com- puting assurance engagement, CPA firms will need to assess the demand for, and timely availability of, the necessary specialized skills.
Exhibit 4 Cloud Security Alliance (CSA) Top 11 Threats to Cloud
Computing (2019)
1 Data breaches 6 Insider threats
2 Misconfiguration and inade- quate change control
7 Insecure interfaces and application programming interfaces (APIs)
3 Lack of cloud security archi- tecture and strategy
8 Weak control plan
4 Insufficient identity, credential, access and key management
9 Metastructure and applistructure failures
5 Account hijacking 10 Limited cloud usage visibility
11 Abuse and nefarious use of cloud services
02-06-2020 Infocus-Mezzio.indd 25 6/28/20 5:20 PM
26 JUNE 2020 / THE CPA JOURNAL
InFocus
Another important element of the AICPA QC standards covers new cli- ent acceptance and retention of exist- ing clients. Such QC considerations include the following:
Client cloud security breach risk and the impact on CPA firm reputa- tional risk
Cost and pricing of services that inherently demand more time and spe- cialized skills
Challenges associated with time- ly and complete access to audit evidence controlled by third- and fourth-party CSPs
Engagement teams have timely access to the necessary specialized competencies in cloud computing, i n c l u d i n g i n d u s t r y - a n d g e o g r a - phy-specific regulations
The ability to safeguard client data stored in the firm’s cloud that has
been accessed through the client’s cloud and from the client’s CSPs.
A CPA firm will need to make selective changes to accept cloud computing-related engagements, s u c h a s t r a i n i n g s t a f f , s e c u r i n g subject experts, and protecting the p r i v a c y o f c l i e n t d a t a a c c e s s e d through the client and their CSP c l o u d s a n d s t o r e d o n t h e C P A firm’s clouds.
Exhibit 5 Sample Enterprise Risk Management (ERM): Cloud Risk Analysis
Assessment
Risk Likelihood Impact Possible Risk Response
If an organization does not invest in, adequately implement, and maintain cloud computing to meets its business needs, then innovations and efficiencies in operations may not be achieved.
Medium High Formalize terms of cloud services with a Service Level Agreement (SLA) to document roles and shared responsibilities between the organization and cloud service provider (CSP) vendor.
Perform due-diligence before entering into an SLA with a third-party cloud service provider (CSP) vendor.
If stakeholders subvert the initiative to use cloud computing, then the change may not be universally and properly adopted.
Medium Medium Dedicate a team of change management specialists to the change initiative
Understand how to engage stakeholders, manage their expec- tations, and facilitate accountability and responsibility
Assess the change readiness of stakeholders Communicate the importance of the change, time frames, and
responsibilities of stakeholders Develop training and provide stakeholder assistance
If there is a failure to safeguard person- ally identifiable information that results in a breach/incident, then there will be an adverse impact on the business and the individuals whose information was compromised.
Low High Establish cybersecurity policies and procedures, conduct annual IT audits, and require employees to complete security awareness training.
If the organization is unaware of the full inventory of cloud services being used, critical weaknesses may go undetect- ed and data may be subject to theft, exploitation, and manipulation.
High High Conduct an assessment to determine the full inventory of cloud services.
If an SLA with CSP does not exist or does not specify terms related to data rights, data usage, or vendor lock-in, then an organization may be at risk of not efficiently managing cloud services and expenses.
Medium Medium Require the CSP to provide cost calculation tools and data usage monitoring services. Document data ownership rights and the ability to retrieve data from CSP upon term end.
If an SLA with CSP does not specify terms related to oversight, accountabili- ty, and monitoring, then the organization is unaware of the adequacy of a third- party CSP’s risk management practices
High High Describe role of CSP to monitor subcontractors providing fourth-party cloud services. Define whether data stored on CSP servers must be located in the United States. Document roles, responsibilities, nature, timing, scope, and fre- quency of internal audit and third-party (e.g., CPA firm) assurance.
02-06-2020 Infocus-Mezzio.indd 26 6/28/20 5:20 PM
JUNE 2020 / THE CPA JOURNAL 27
Adapting to Digital Transformation
The emergence of cloud computing and the incipient digital transformation of business is having a profound impact on the traditional techniques and services provided by CPA firms. Organizations adopting or leveraging cloud comput- ing should obtain a continuous update of their inventory of cloud activities, including the nature, scope, and loca- tions of their cloud activities; conduct a holistic, enterprise-wide, what-can-go- wrong analysis, including cybersecurity risks and single-point-of-failure risks associated with their cloud ecosystem; and perform an analysis of cloud com- puting resiliency, including an ERM analysis of cloud performance, security risk, and change management risk. CPA firms adapting to digital disruption and transformation must obtain an under- standing of the implications of cloud computing on their clients’ business and control environment; analyze risks of material misstatement and cybersecurity risks; assess cloud controls; and manage cloud-informed changes to the CPA firm’s QC processes and compliance.
Meredith Stein, CPA, leads the NIH Risk Management Program at the National Institutes of Health (NIH), Bethesda, Md. The views expressed are her own and do not necessarily represent the views of the NIH or the United States Government. She began her career with KPMG. Vincent Campitelli, CPA, is a consultant to the office of the president of the Cloud Security Alliance (CSA) Seattle, Wash., serving as an enterprise security specialist with a focus on cloud computing. He is formerly a partner of PricewaterhouseCoopers. Steven Mezzio, PhD, CPA, CISA, CISSP, FSAI, is a professor of accounting and the executive director of the Center for Excellence in Financial Reporting for the Pace University Lubin School of Business. He is also a former partner with PricewaterhouseCoopers.
Resources Cloud Computing
Gartner https://www.gartner.com/en/newsroom/press-releases/2019-04-02-gartner-forecasts- worldwide-public-cloud-revenue-to-g
Apple CEO https://news.microsoft.com/features/satya-nadella-why-businesses-should-embrace- digital-transformation-not-only-to-survive-but-also-to-thrive/ The Cloud’s Impact
Deloitte https://www2.deloitte.com/us/en/pages/about-deloitte/articles/press-releases/ deloitte-poll-extended-enterprise-risk-management-to-be-2019-focus.html
FASB https://www.journalofaccountancy.com/news/2020/jan/accounting-for-cloud- computing-22531.html
Information Week https://webcache.googleusercontent.com/search?q=cache:p3OgaFFf57g- J:https://www.informationweek.com/cloud/predictions-for-cloud-computing-in- 2020/a/d-id/1336738+&cd=2&hl=en&ct=clnk&gl=us The Dark Side of the Cloud
McKinsey https://www.mckinsey.com/business-functions/mckinsey-digital/our-insights/ protecting-information-in-the-cloud
Gartner https://www.gartner.com/smarterwithgartner/is-the-cloud-secure/ Enterprise Risk Management (ERM) Perspectives
KPMG https://search.proquest.com/openview/bb262f0e01f4c952f9a5d65c1482eb74/1?pq- origsite=gscholar&cbl=41798
Gartner https://www.gartner.com/en/documents/3269523/unsanctioned-business-unit-it-cloud- adoption-will-increa
Thompson Reuters http://financial-risk-solutions.thomsonreuters.info/5-Key-Risks-2020?utm_ source=internal&utm_medium=blog&utm_campaign=245422_5KeyRisksforFirms2020EP&utm_ term=internal&utm_content=downloadreport&elqCampaignId=1565
CPA Firm Perspectives
AICPA https://www.aicpa.org/content/dam/aicpa/research/standards/auditattest/asb/ downloadabledocuments/asb-strategy-consultation-paper.pdf
Exhibit 6 Types of AICPA SOC Reports
SOC 1 SOC for Service Organizations
Used by auditors to gain an understanding of ICFR and assess the impact on the audit of financial statements. Type 1: focuses on the design of internal controls Type 2: focuses on both the design and operating effectiveness of internal controls
SOC 2 SOC for Service Organizations: Trust Services Criteria
Controls at a service organization relevant to security, availability, and processing integrity of the systems used to process users’ data and the confidentiality and privacy of the information pro- cessed by these systems. Type 1: focuses on the design of internal controls Type 2: focuses on both the design and operating effectiveness of internal controls
SOC 3 SOC for Service Organizations: Trust Services Criteria for General Use Report
In substance, a lean version of a SOC 2
SOC for Cybersecurity
SOC for Cybersecurity Risk Management
A newer reporting framework that facilitates report- ing on a service organization’s enterprise-wide cybersecurity risk management program
ICFR=Internal Control over Financial Reporting
02-06-2020 Infocus-Mezzio.indd 27 6/28/20 5:21 PM
Copyright of CPA Journal is the property of New York State Society of Certified Public Accountants and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.
