Embed Size (px)
Citation preview
CLOUD COMPUTINGAPPLYING THIS “NEW” TECHNOLOGY
TO YOUR PRACTICE
Douglas W. Barbin, CPA, CISSP, PCI QSA, CCSK
BrightLine CPAs & Associates, Inc.
November 4, 2011
Divorced after 72 Days
AGENDA AND OVERVIEW
• What is the hype that is cloud computing?
• What are the opportunities for a CPA firm to
utilize cloud services?
• What are the risks and challenges associated
with cloud computing?
THE FLAVORS AND FEATURES OF “THE CLOUD”
Cloud computing is defined by how it is delivered.
If a provider cannot not articulate this clearly, be concerned…
http://csrc.nist.gov/publications/drafts/800-145/Draft-SP-800-145_cloud-definition.pdf
• Infrastructure-as-a-Service
– Provider hosts physical hardware
– Customer manages operating platform and application
• Platform-as-a-Service
– Provider hosts hardware, operating platform
– Customer manages application
• Software-as-a-Service
– Service provider hosts hardware, operating platform, & application
SERVICE MODELS
Business Value• Pay-per-use
• Lower technology barrier to entry
• Grows with the firm
• Lower risk*– Infrastructure failure
– Laptop failure
– Security
• Cloud providers compete on price and ease of use
Functional Opportunities
• Finance and accounting
• Sales and marketing automation
• Human resources and recruiting
• Time and expense reporting
• Travel planning / coordination
• Business process enablement
• Client collaboration
OPPORTUNITIES FOR YOU AND YOUR CLIENTS
* Denote risks that must be evaluated
• Not all cloud providers are created equal!
• It is critical that a CPA firm understand:1. Where data/equipment is located
2. How data/equipment is secured• Physical security
• Access control
• Administrative management
• Data Protection (encryption)
3. How availability is maintained • Environmental controls (fire, power, etc.)
• Network and systems availability
• Backup services
4. How the service and controls are monitored
RISKS OF CLOUD COMPUTING
Most importantly, you must understand what YOUR responsibilities
are as the customer (a.k.a user controls)
http://www.cloudbook.net/resources/stories/risk-evaporation-part-1
• SOC = Service Organization Controls
• SOC 1 = SSAE 16 (the new SAS 70)
• SOC 2 – Used when services do not impact controls for
financial reporting
– Uses Trust Services Principles (Security, Availability, Processing Integrity, Confidentiality, and Privacy)
– Includes auditors opinion, management assertion, description of system/controls and test results
• SOC 3 = SysTrust– Result is the SysTrust/SOC 3 seal
– Also uses Trust Services
– General purpose also used for services that do not impact financial report controls
USING AICPA “SOC” REPORTS FOR EVALUATION
http://www.aicpa.org/soc
Type 2 operating
effectiveness qualification
Control objectivesC
on
tro
ls a
nd
te
sts
• Identify and review other forms
of assurance/ compliance
– PCI validation
– ISO 27001 certification
– TRUSTe privacy certification
– Cloud Security Alliance
Consensus Assessment
Questionnaire
– BITS Supplemental Information
Gathering (SIG) Questionnaire
• Search for customer
testimonials and online
statements related to
reputation and performance
• Visit the provider (if practical)
• Review service descriptions
(including product marketing
descriptions)
• Review your agreement for:
– Uptime guarantees / SLA
– Audit clauses
– Confidentiality assertions
– Compliance requirements
PERFORMING YOUR DUE DILIGENCE
• Like it or not, cloud
computing is a paradigm
shift for IT
• Accompanying the shift is
significant visibility and
hype
• There are innovators and
pretenders!
• Cloud services are only real
when they developed
around operational and
delivery models
• Significant opportunity for
CPAs to flexibly outsource
non-core functions
• Firms must understand the
service and perform
proper due diligence
IN SUMMARY
THANK YOU!
Douglas W. BarbinDirectorBrightLine
E: [email protected] | T: 1-866-254-0000 ext. 139 | F: 1-888-533-7108
Twitter: @DougBarbin / @brightlinecpas
www.BrightLine.com
