Assurance for Cloud-based Systems

Gartner recently released a report entitled Gartner’s Top Predictions for IT Organizations and Users, 2011 and Beyond: IT’s Growing Transparency. In that report, there was a very notable prediction related to assurance. It stated: "By 2015, 80% of enterprises using external cloud services will demand independent certification that providers can restore operations and data."

Many readers will immediately think of the AICPA SAS 70 Reports. However, SAS 70 reports do not explicitly address non-financial controls and could not be counted upon to provide assurance in this respect.

The AICPA recognized this issue and the demand for assurance on Security, Availability, Processing Integrity, Confidentiality or Privacy and released new guidance specifically to deal with these engagements, generically referred to as SOC 2 Reports. SOC 1 reports (under SSAE 16) deal with financial controls and SOC 3 reports deal with the use of Trust Services seals for Service Organizations.

The new guidance, some of which is still in process of preparation, will enable assurance professionals to respond more effectively to the various needs for assurance on service organizations, which includes cloud providers.