Audit Clauses in Cloud Computing Contracts
I read an excellent article today on law.com by Edward Pisacreta, a partner at Holland and Knight. The article discusses one of the least sexy, yet most important, components of cloud computing… contracts. It is a thorough analysis of the important contract elements that should be considered when engaging a service provider and includes guidance on putting contractual guardrails in place for to define where you data can and cannot be stored and how it is protected. He also touched on SAS 70 audit requirements, which I would like to briefly expand upon here.
For Cloud Computing Contracts, I advise that customers that outsource business process, including those that rely on Cloud computing, consider the following:
- If the service provider already has an audit performed, request a copy and ensure that the content of the report is suitable for your organization’s needs. Provide feedback if any modifications need to be made for the purposes of future audits.
- Contractually require an audit performed in accordance with Statement on Auditing Standard No. 70, or any superseding domestic or international standard that may replace it. The latter clause is very important given that new domestic and international standards are in the process of being promulgated and will eventually replace the current SAS 70 standard entirely.
- Require a report on controls placed in operation and tests of operating effectiveness, often referred to as a Type 2 audit. A Type 1 report is better than know report at all, but is not suitable for use for SOX or financial statement audit points.
- If there are certain aspects of the service that are of particular interest, specify that they are to be included within the control objectives of the audit. If you prefer to ensure your needs are met, specify the exact control objective(s) to be used for the purposes of the audit.
- Consider the anticipated report date (in the case of a Type 1 audit), or review period (in the case of a Type 2 audit), and verify that it appropriate for your needs. For Type 2 audits, review periods are normally between 6 and 12 months in duration. Document the report date/review period in the contract.
- Document the date by which your organization will receive the report each year.
Following these simple suggestions would avoid 90% of the issues that result from too little concern for SAS 70 audit clauses.
Good article Mr. Pisacreta! While I enjoy a good read on virtualization, new models of cloud provisioning, and scary stories about security, it is nice to see writing about the boring business necessities (like audits) that make cloud computing better in the real world. I hope you can make it out to CloudExpo this week!
About CHRIS SCHELLMAN
Chris Schellman is the CEO and Founder of Schellman & Company, LLC, which is an accredited CPA Firm, PCI QSA Company, ISO 27001 Registrar, FedRAMP 3PAO, and a HITRUST CSF Assessor. He began his career focusing on IT audits and SAS 70’s and has now contributed to nearly 2,000 SOC examinations.