For finance professionals, cloud computing can bring a lot of anxiety. A key contributor is ensuring the security of sensitive financial data and the ability to enforce internal controls when this data resides in the “cloud”, at a third-party service provider. In the US, with Sarbanes-Oxley and the hard-to-forget memories of hoops finance departments had to jump through to comply with it, should finance departments ignore the cloud and keep their data securely on premise? We could debate ad infinitum whether your on premise data is really secure but what about the cloud computing providers? The economics of the cloud are certainly compelling but what about the compliance risk?

Fortunately, there are standards to help ensure that your cloud provider has taken the proper steps to keep your financial data secure and compliant. These standards, namely the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) in the US and its international cousin, the International Standard on Assurance Engagements No.  3402 (ISAE 3402) provide guidance to accounting firms who audit a service provider’s books. These standards are relatively new, having gone into effect just last year. In the US, SSAE 16 replaced the better known Statement of Auditing Standards 70 (SAS 70).  SAS 70 was issued by the American Institute of Certified Public Accountants (AICPA) several years ago for the same purpose—assessing a service provider’s internal controls. However developments such as the globalization of information technology and a desire to align global accounting standards necessitated the adoption of the newer standards (the AICPA now requires its members to follow SSAE 16). 

As I started to say, the new standards assist accounting firms who audit a service provider’s financial records (for the record,  a “service provider” is any company who provides outsourced work to another company and a cloud provider falls squarely in that camp). When performing an audit, accountants must also assess the effectiveness of a provider’s processes to safeguard financial data from tampering. These processes are called internal controls. Upon completing an internal controls audit, an accounting firm will issue a report attesting to the service provider’s compliance to its customers and other external stakeholders. 

The standards also apply to companies who use service providers. They offer similar guidance to accounting firms who audit the books of companies who use external service providers. Because certain service providers—and most certainly providers of cloud-based financial systems—can have a significant impact on the customer’s control environment, external stakeholders need to ensure that both the company and the cloud provider have followed proper internal control procedures.

What does this mean to cloud providers? Among other things, it’s a powerful marketing tool—like the venerable Good Housekeeping seal,  it helps dispel the concerns of would be financial buyers that somehow their data is not safe or they’ll have compliance problems if they ditch their old accounting systems for a cloud-based system. Additionally, a cloud provider’s sales people should be able to articulate what this means to reluctant financial decision-makers. Now before sales people start flaming me, let me say that finance people get confused by this stuff (just ask them if they clearly understand the rules on revenue recognition or foreign exchange valuation).  You don’t need to quote SSAE 16 or ISAE 3402 chapter and verse. Rather, you should be able to communicate just what I’ve written above and if the finance person still has doubts, they can call their auditor. Cloud computing offers many significant benefits but for some, the perceived risks prevent them from adopting it. Hopefully, this blog offers a bit more assurance that data in the cloud may indeed be better than data stored on premise.

To report this post you need to login first.


You must be Logged on to comment or reply to a post.

  1. Gregory Misiorek
    Hi Jim,

    as standards go, there’s also formerly ISO 17799. it seems to cover a similar area with emphasis on security, but not only.

    looking at how slow and painful convergence (condorsement and incorporation) of IFRS into US GAAP have been it is sometimes real hard to convince finance people that they need more than their common sense which is the most important in finance IT (on premise and in the cloud).

    Best regards,


    1. Jim Daddario Post author
      Hi Greg

      Where is Chris Cox when we need him? :). Frankly, I think post-financial meltdown, the SEC is wise to reconsider replacing GAAP with the IFRS. Thanks for the ref on IEC 27002. I need to read up.




Leave a Reply