Services
Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Targeted Security Assessments
Targeted Security Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Industry Solutions
Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Learning Center
Learning Center
Articles
Articles
Whitepapers
Whitepapers
Case Studies
Case Studies
Events & Live Webinars
Events & Live Webinars
On-Demand Webinars
On-Demand Webinars
About Us
About Us
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility

Audit Clauses in Cloud Computing Contracts

SOC | Cloud Computing

I read an excellent article today on law.com by Edward Pisacreta, a partner at Holland and Knight. The article discusses one of the least sexy, yet most important, components of cloud computing… contracts. It is a thorough analysis of the important contract elements that should be considered when engaging a service provider and includes guidance on putting contractual guardrails in place for to define where you data can and cannot be stored and how it is protected. He also touched on SAS 70 audit requirements, which I would like to briefly expand upon here.

For Cloud Computing Contracts, I advise that customers that outsource business process, including those that rely on Cloud computing, consider the following:

  • If the service provider already has an audit performed, request a copy and ensure that the content of the report is suitable for your organization’s needs. Provide feedback if any modifications need to be made for the purposes of future audits.
  • Contractually require an audit performed in accordance with Statement on Auditing Standard No. 70, or any superseding domestic or international standard that may replace it. The latter clause is very important given that new domestic and international standards are in the process of being promulgated and will eventually replace the current SAS 70 standard entirely.
  • Require a report on controls placed in operation and tests of operating effectiveness, often referred to as a Type 2 audit. A Type 1 report is better than know report at all, but is not suitable for use for SOX or financial statement audit points.
  • If there are certain aspects of the service that are of particular interest, specify that they are to be included within the control objectives of the audit. If you prefer to ensure your needs are met, specify the exact control objective(s) to be used for the purposes of the audit.
  • Consider the anticipated report date (in the case of a Type 1 audit), or review period (in the case of a Type 2 audit), and verify that it appropriate for your needs. For Type 2 audits, review periods are normally between 6 and 12 months in duration. Document the report date/review period in the contract.
  • Document the date by which your organization will receive the report each year.

Following these simple suggestions would avoid 90% of the issues that result from too little concern for SAS 70 audit clauses.

Good article Mr. Pisacreta! While I enjoy a good read on virtualization, new models of cloud provisioning, and scary stories about security, it is nice to see writing about the boring business necessities (like audits) that make cloud computing better in the real world. I hope you can make it out to CloudExpo this week!

About CHRIS SCHELLMAN

Chris Schellman is the CEO and Founder of Schellman & Company, LLC, which is an accredited CPA Firm, PCI QSA Company, ISO 27001 Registrar, FedRAMP 3PAO, and a HITRUST CSF Assessor. He began his career focusing on IT audits and SAS 70’s and has now contributed to nearly 2,000 SOC examinations.