How the Accounting Profession Is Boosting Cloud Security

If a data breach occurs while this sensitive customer information is being handled by the cloud service provider, the business itself continues to retain responsibility for protecting it. Given this, concerns over liability and reputation have intensified the demand for related controls. Enter the AICPA’s introducution of Service Controls, known as SOC 1, SOC 2 and SOC 3.

Understanding SOC 1, 2 and 3

As defined by the AICPA, Service Organization Control (SOC) reports are internal control reports on the services provided by an organization which include valuable information that users need to assess and address the risks associated with an outsourced service. There are three types of SOC engagements.

1. A SOC 1 engagement is specifically intended to meet the needs of management and auditors as they evaluate the effect of the controls at the cloud service organization on the users’ financial statement assertions. These reports are important components of complying with laws and regulations like Sarbanes-Oxley and in planning and performing audits. The use of these reports are restricted to the management of the service organization, user entities of the service organization, and user auditors.
2. A SOC 2 engagement is a report on controls that are likely to be relevant to the security, availability or processing integrity of a cloud service provider’s system or the confidentiality or privacy of the information processed by the system. In this type of engagement, management of the service organization determines which controls to include within the scope of the engagement, develops a description of the system used to provide the services and related controls, and engages a service auditor to apply procedures and report on the identified controls. This type of report is useful for governance, risk and compliance programs, oversight and due diligence work. The users of this report are service organization management and other user entities and regulators.
3. In an SOC 3 engagement, a practitioner reports on whether the cloud service organization maintained effective controls overs its system. Although similar to an SOC 2 report, the SOC 3 report doesn’t include a detailed description of the service auditor’s tests of the operating effectiveness of controls and the results of those tests. Also, the SOC 3 report is not restricted in terms of use. Because detail is not needed in this report, it is often used for marketing purposes to boost confidence in the security, availability, processing, integrity, confidentiality or privacy of a cloud service organization’s system.

A need that will continue to grow

The need for cloud service providers to reassure their users about controls over the integrity of their systems and the safety of their customer data processed by those systems will continue to lead them to practitioners who can perform SOC engagements. And with market awareness of these reports continuing to grow, firms who offer these types of services will certainly be well-positioned into the future. So, if your firm is one that is looking to offer niche services in an area that will continue to grow exponentially, then SOC engagements might be the way to go.

——————
Jon Baron joined the Tax & Accounting business of Thomson Reuters in 1992. Prior to his current position as Managing Director of the Professional segment, Jon held the positions of President of Professional Software & Services, and Vice President of Development, where he was responsible for the design and development of all Professional products and services. Jon has three decades of technology development and management experience. Jon holds a BBA in Accounting from Siena College and an MBA from Boston University.