Cloud and Service Assurance

8/11/2019 Cloud and Service Assurance

1/7

Cloud Provider

Assurance

Strategies

options for customers

September 2013


2/7

Contents

1 Introduction 1

2 The Evolution of Assurance Standards 2

3 The Way Forward 3


3/7

1

1 Introduction

Cloud computing is the ultimate evolution of utility computing and outsourcing,

defined by the National Institute of Standards and Technology (NIST) and the CloudSecurity Alliance as a model for enabling convenient, on-demand network access

to a shared pool of configurable computing resources (e.g., networks, servers,

storage, applications, services) that can be provisioned and released with minimal

management effort or service provider interactions.

Cloud computing has the potential to offer a number of distinct benefits for businesses, including

cost containment, rapid resource provisioning, and improved service availability. However, as the

world of business begins to take advantage of these benefits and move more and more of their IT

services to external Cloud providers, the approach to obtaining assurance over IT controls has begun

to shift as well.

Companies may focus heavily on upfront risk management around the use of Cloud services,

including risks of incorrect solution selection, missing requirements and poor integration with

strategic IT plan, information architecture and technology direction, and service provider going

concern issues. However, focus needs to be placed on the operational control environment of the

Cloud provider in order to avoid control gaps between processes performed by the Cloud provider

and the organization that could cause companies to fail to satisfy audit/assurance charters and

requirements of regulators or external auditors.

Assurance requirements over Cloud providers includes requirements over and above those

traditionally addressing internal control over financial reporting. Deficiencies in the control

environment provided by these outside service organisations may result in the unauthorised release

of customer information, breach of system security, or a service disruption that could lead to

reputational damage or compliance failures. Even though businesses may outsource one or more

components of their operational organisation, they are ultimately responsible for their control

environment and for their compliance with regulatory requirements and standards. A third-party audit

of critical business and IT operations helps to identify and control these key risks. As well as covering

the general IT control environment, such audits are also able to provider assurance over the

providers processes relating to transaction integrity, quality management, resource allocation and

billing.


4/7

2

2 The Evolution of Assurance Standards

Traditionally, many organisations have asked their outsource providers to provide them with a SAS 70

(Statement on Auditing Standards No. 70) report in order to obtain assurance over the IT control

environment. This standard, however, was never intended to provide assurance outside of the scope

of that for which the standard was created controls that relate to financial reporting nor was it for

distribution beyond the user organisation.

In order to address this, the International Auditing and Assurance Standards Board (IAASB) published

a 2011 revision to the International Standard on Assurance Engagements (ISAE) 3000, Assurance

Engagements Other than Audits or Reviews of Historical Financial Information. The IAASBs put

forward the ISAE 3000 as a principles-based standard to be applied to a broad range of underlying

subject matters, and including controls over non-financial processing for privacy, availability, confident

ially and processing integrity, and which can be distributed to anyone.

In addition, the ISAE 3000 standard now provides for two levels of assurance:

Reasonable assurance expresses and opinion in the positive form, where the practitioners

conclusion conveys an opinion on the outcome of the measurement or evaluation of the

underlying subject matter. i.e. In our opinion internal control is effective, in all material respects,

based on XYZ criteria

Limited assurance - expresses an opinion in a negative form, where the practitioners conclusion

is expressed in the form that conveys that, based on the procedures performed, nothing has

come to the practitioners attention to cause the practitioner to believe the subject matter

information is materially misstated. Limited assurance attestation engagements also allow for

evidence collection by means other than tests of controls.

Also of note is that ISAE 3000 audits are designed to test whether an operator adheres to the

controls it has established for itself. There is no minimum standard for those processes or

benchmark, and as a result it provides no certification.The table below sets out how an ISAE 3000

compares to commonly used assurance standards:

Report Standard Report Type Subject Matter Issued By Intended Use

ISAE 3402

SSAE 16

SAS 70

SOC 1 Report Controls at a service provider

relevant to user entities internal

control over financial reporting

Certified Accountant Client

Client Auditor

ISAE 3000 SOC 2 Report Controls at a service provider

relevant to:

Security Availability

Processing

Integrity

Confidentiality

Privacy

Certified Accountant Client

Business Partners

ProspectiveBusiness Partners

ISAE 3000 SOC 3 report Same as SOC 2 Certified Accountant Anyone

ISO 27001 ISO 27001 Information security

management system

Accredited

certification body Client

Prospective

Business Partners


5/7

3

3 The Way Forward

As can be seen from the previous section, assurance around Cloud provider control environments,

and indeed for any environment not specifically dealing with controls over financial reporting,

organisations would be best guided to follow the route of an ISAE 3000 when addressing controls in

the SOC 2 and SOC 3 arena. However, given that this review will still provide a assurance report and

opinion, it is not something that organisations should be running head long into a phased approach

of maturing and readying your environment is the most practical and risk-averse way to achieve the

desired outcome.

KPMG has developed customized approaches to efficiently help service organizations throughout

their ISAE and SOC implementation initiatives as well as with the review of existing SOC reports to

ensure they meet current needs. KPMGs services include readiness assessments,implementation

and attestation engagements.

KPMGs safe SOC implementation approach

Readiness assessment

The purpose of a preSOC or readiness assessment review is to focus on key areas that will be

covered in an upcoming SOC examination and to identify those control weaknesses that need to becorrected before the attestation engagement period begins. Findings are only reported to the

Management of the service organisation.

Implementation

The effective implementation of the corrective actions identified as part of the readiness assessment

is a key success factor to minimize the occurrence of deficiencies during the SOC examination.

Attestation

The Attestation services comprise the SOC examination and issuance of the SOC Report which

describes the service organizations description of controls,the testing of design and the testing of

operating effectiveness (Type II only) of the service organizations controls over a minimum six month

period.


6/7


7/7

Contact us

Brent Cairney

Director: IT Advisory

T +27 (0)83 299 8757

E [email protected]

Robb Anderson

Senior Manager: IT Advisory

T +27 (0)82 719 2413

E [email protected]

www.kpmg.com

2013 KPMG Services (Proprietary) Limited is a company incorporate under the South

African Companies Act and a member firm of the KPMG network of independent member

firms affiliated with KPMG International Cooperative (KPMG International), a Swiss

entity. All rights reserved.

The information contained herein is of a general nature and is not intended to address the

circumstances of any particular individual or entity. Although we endeavour to provide

accurate and timely information, there can be no guarantee that such information is

accurate as of the date it is received or that it will continue to be accurate in the future. No

one should act on such information without appropriate professional advice after a thorough

examination of the particular situation.

The KPMG name, logo and cutting through complexity are registered trademarks or

trademarks of KPMG International Cooperative (KPMG International).

Documents

Cloud and Service Assurance