Cloud Provider

Assurance
Strategies
options for customers



September 2013


Contents
1 Introduction 1
2 The Evolution of Assurance Standards 2
3 The Way Forward 3



1
1 Introduction
Cloud computing is the ultimate evolution of utility computing and outsourcing,
defined by the National Institute of Standards and Technology (NIST) and the Cloud
Security Alliance as a model for enabling convenient, on-demand network access
to a shared pool of configurable computing resources (e.g., networks, servers,
storage, applications, services) that can be provisioned and released with minimal
management effort or service provider interactions.
Cloud computing has the potential to offer a number of distinct benefits for businesses, including
cost containment, rapid resource provisioning, and improved service availability. However, as the
world of business begins to take advantage of these benefits and move more and more of their IT
services to external Cloud providers, the approach to obtaining assurance over IT controls has begun
to shift as well.
Companies may focus heavily on upfront risk management around the use of Cloud services,
including risks of incorrect solution selection, missing requirements and poor integration with
strategic IT plan, information architecture and technology direction, and service provider going
concern issues. However, focus needs to be placed on the operational control environment of the
Cloud provider in order to avoid control gaps between processes performed by the Cloud provider
and the organization that could cause companies to fail to satisfy audit/assurance charters and
requirements of regulators or external auditors.
Assurance requirements over Cloud providers includes requirements over and above those
traditionally addressing internal control over financial reporting. Deficiencies in the control
environment provided by these outside service organisations may result in the unauthorised release
of customer information, breach of system security, or a service disruption that could lead to
reputational damage or compliance failures. Even though businesses may outsource one or more
components of their operational organisation, they are ultimately responsible for their control
environment and for their compliance with regulatory requirements and standards. A third-party audit
of critical business and IT operations helps to identify and control these key risks. As well as covering
the general IT control environment, such audits are also able to provider assurance over the
providers processes relating to transaction integrity, quality management, resource allocation and
billing.


2
2 The Evolution of Assurance Standards
Traditionally, many organisations have asked their outsource providers to provide them with a SAS 70
(Statement on Auditing Standards No. 70) report in order to obtain assurance over the IT control
environment. This standard, however, was never intended to provide assurance outside of the scope
of that for which the standard was created controls that relate to financial reporting nor was it for
distribution beyond the user organisation.
In order to address this, the International Auditing and Assurance Standards Board (IAASB) published
a 2011 revision to the International Standard on Assurance Engagements (ISAE) 3000, Assurance
Engagements Other than Audits or Reviews of Historical Financial Information. The IAASBs put
forward the ISAE 3000 as a principles-based standard to be applied to a broad range of underlying
subject matters, and including controls over non-financial processing for privacy, availability, confident
ially and processing integrity, and which can be distributed to anyone.
In addition, the ISAE 3000 standard now provides for two levels of assurance:
Reasonable assurance expresses and opinion in the positive form, where the practitioners
conclusion conveys an opinion on the outcome of the measurement or evaluation of the
underlying subject matter. i.e. In our opinion internal control is effective, in all material respects,
based on XYZ criteria
Limited assurance - expresses an opinion in a negative form, where the practitioners conclusion
is expressed in the form that conveys that, based on the procedures performed, nothing has
come to the practitioners attention to cause the practitioner to believe the subject matter
information is materially misstated. Limited assurance attestation engagements also allow for
evidence collection by means other than tests of controls.
Also of note is that ISAE 3000 audits are designed to test whether an operator adheres to the
controls it has established for itself. There is no minimum standard for those processes or
benchmark, and as a result it provides no certification. The table below sets out how an ISAE 3000
compares to commonly used assurance standards:
Report Standard Report Type Subject Matter Issued By Intended Use
ISAE 3402
SSAE 16
SAS 70
SOC 1 Report Controls at a service provider
relevant to user entities internal
control over financial reporting
Certified Accountant
Client
Client Auditor
ISAE 3000 SOC 2 Report Controls at a service provider
relevant to:
Security
Availability
Processing
Integrity
Confidentiality
Privacy
Certified Accountant
Client
Business Partners
Prospective
Business Partners
ISAE 3000 SOC 3 report Same as SOC 2 Certified Accountant Anyone
ISO 27001 ISO 27001 Information security
management system
Accredited
certification body
Client
Prospective
Business Partners



3
3 The Way Forward
As can be seen from the previous section, assurance around Cloud provider control environments,
and indeed for any environment not specifically dealing with controls over financial reporting,
organisations would be best guided to follow the route of an ISAE 3000 when addressing controls in
the SOC 2 and SOC 3 arena. However, given that this review will still provide a assurance report and
opinion, it is not something that organisations should be running head long into a phased approach
of maturing and readying your environment is the most practical and risk-averse way to achieve the
desired outcome.
KPMG has developed customized approaches to efficiently help service organizations throughout
their ISAE and SOC implementation initiatives as well as with the review of existing SOC reports to
ensure they meet current needs. KPMGs services include readiness assessments, implementation
and attestation engagements.
KPMGs safe SOC implementation approach

Readiness assessment
The purpose of a preSOC or readiness assessment review is to focus on key areas that will be
covered in an upcoming SOC examination and to identify those control weaknesses that need to be
corrected before the attestation engagement period begins. Findings are only reported to the
Management of the service organisation.
Implementation
The effective implementation of the corrective actions identified as part of the readiness assessment
is a key success factor to minimize the occurrence of deficiencies during the SOC examination.
Attestation
The Attestation services comprise the SOC examination and issuance of the SOC Report which
describes the service organizations description of controls, the testing of design and the testing of
operating effectiveness (Type II only) of the service organizations controls over a minimum six month
period.




Contact us
Brent Cairney
Director: IT Advisory
T +27 (0)83 299 8757
E brent.cairney@kpmg.co.za
Robb Anderson
Senior Manager: IT Advisory
T +27 (0)82 719 2413
E robb.anderson@kpmg.co.za
www.kpmg.com
2013 KPMG Services (Proprietary) Limited is a company incorporate under the South
African Companies Act and a member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (KPMG International), a Swiss
entity. All rights reserved.
The information contained herein is of a general nature and is not intended to address the
circumstances of any particular individual or entity. Although we endeavour to provide
accurate and timely information, there can be no guarantee that such information is
accurate as of the date it is received or that it will continue to be accurate in the future. No
one should act on such information without appropriate professional advice after a thorough
examination of the particular situation.
The KPMG name, logo and cutting through complexity are registered trademarks or
trademarks of KPMG International Cooperative (KPMG International).