About Me

My photo
Jason Lannen is the Managing Director of TurnKey IT Solutions, LLC. Experienced IT Auditor and Consultant focusing on SOX 404, SOC 1 / SSAE 16 (formerly SAS 70), SOC 2, PCI, ISO 27000, Information Security and Data Analysis. Check out our website at http://www.turnkeyit.net and email us at info@turnkeyit.net for more information.

Sunday, January 22, 2012

SOC Reports: The customer is always right

The illustration above depicts a typical conversation that is currently happening between data centers and their potential customers.  There is confusion between data centers, their potential customers and even some accounting firms in understanding the changes that have taken place.   The SOC 1 / SSAE 16 Attested Standard has replaced the SAS 70 Audit Standard.  There are also SOC 2 and SOC 3. 
Which one is acceptable?  Which one is best?  I think that is the key question that we should help service organizations (i.e. data centers) answer at this time.
Let’s start with AICPA guidance, since they issued the changes in the first place:
Intended Use
SOC 1 / SSAE 16
SOC 1 / SSAE 16 reports “are specifically intended to meet the needs of the entities that use service organizations (user entities) and the CPAs that audit the user entities’ financial statements (user’ auditors), in evaluating the effect of the controls at the service organization on the user entities’ financial statements.”

SOC 2 reports “are intended to meet the needs of a broad range of users that need information and assurance about the controls at a service organization that affect the security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.”

SOC 3 reports “meet the needs of users who need assurance about the controls at a service organization that affect the security, availability, and processing integrity of the systems used by a service organization to process users’ information, and the confidentiality, or privacy of that information, but do not have the need for or the knowledge necessary to make effective use of a SOC 2 Report.”

Simply put, SOC 1 / SSAE 16 reports provide reasonable assurance that a service organization has internal controls over financial reporting.  Define reasonable?  That’s up to the service auditor that issues the SOC 1 / SSAE 16 report and user organizations (and their auditors) that evaluate it.
SOC 2 and SOC 3 reports are intended to provide users with information about the service organization’s controls in place that may affect security, availability, processing integrity, confidentiality and/or privacy of information.
While SOC 1 / SSAE 16 may not be the best option for a service organization to undergo, it’s what their customers are still asking for.  If a SOC 2 report is the better option than SOC 1 / SSAE 16, the accounting firm should inform the service organization about it.  As long as 1) the accounting firm (service auditor) performing the audit for the service organization is working within the rules issued by the AICPA and 2) the service organization knows the differences between the types of reports, and communicates the updates to their customers, what is the issue?
At the end of the day, the customer is always right.  It is our job to inform service organizations about the changes that have taken place, and let them decide which report they want.

Wednesday, November 4, 2009

A trip into the secret, online 'cloud'

Found another interesting article on cloud computing on CNN.com today - front page headline:

"One day, while uploading yet another text file to the Google Docs Web site, I started to wonder: When I save this file online, where does it actually go?"


The buzz about Cloud Computing (aka The Cloud) – an exciting new technology, but are IT risks being properly managed?

Does your organization outsource IT services and data to 3rd party providers? Do you access those IT services via web browser? Do you mange your personal contacts via Google, LinkedIn, Facebook or other online applications? If you answered ‘yes’ to any of these questions, your information and data is being managed in ‘The Cloud’.

Outsourcing information and data to outside service providers in The Cloud is nothing new, but has become more commonplace and accepted with the creation, reliability and security of web technologies that support our computing needs outside of the traditional IT structure. It has become a hot topic of discussion among IT professionals as well as everyday home computer users.

Companies and individual users in society are realizing the benefits of The Cloud – outsourcing their management of computing systems, infrastructure and data to applications on the internet. This has presented opportunities for improving IT performance, increasing storage capacity, streamlining business processes and reducing IT costs. No doubt, The Cloud will revolutionize the way we manage IT systems, protect and store data, as well as do business and manage our lives personally. However, this technology has also presented a new set of risks and challenges from information protection to data integrity to regulatory compliance and governance of IT.

What are organizations doing to address these risks as well as others? What are you doing in your personal life to make sure your information is backed up and protected?