Are data in the 'cloud' readily auditable? (Webinar Attendee Question)

Yes, as much as with any software application, regardless of where hosted. Relate document management processes and other controls will also be important. You will likely need an internal controls (SSAE 16) report from your provider.

Microsoft has recognized this need with SharePoint - its document management system (also available in an online version). One issue with auditability is access permissions - do auditors have the appropriate permissions to review information online. SharePoint provides for an 'auditors' security group that provides specific access to content regardless of the permissions that have been put on that content.

Contribution by Chris Tait, MBA, CISA, CFSA - Director
at Baker Tilly Virchow Krause, LLP:

Basically, our advice to our clients is to follow good vendor management principles. Those haven’t changed in a long time, however the types of assurance one can get have changed to keep up with the constantly moving landscape.

1. Assurance – the AICPA created new assurance standards to commonly referred to as SSAE16 or SOC reports. Service Organization Control (SOC) reports are internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service.
- http://www.bakertilly.com/SOC-reporting
- http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/SORHome.aspx

2. Security – ISO Certifications are very common (ISO 2700x)

3. Cloud Specific – the Cloud Security Alliance (https://cloudsecurityalliance.org/) are pushing very hard for transparency and self attestation in the arena. Big players like Microsoft and Amazon.com are on board.
Key items of note:
- CSA STAR (Security, Trust and Assurance Registry) - https://cloudsecurityalliance.org/star/
This is not the Holy Grail – but gets at the root of a push for transparency and sharing of information
- They have developed a could framework called the CCM (Cloud Control Matrix) – very cool stuff and free to download and use as a part of your normal audit / assurance procedures
- Work with your provider to get disclosures and information that you need to be comfortable. Keep asking and be inquisitive.

Having your data hosted won't prevent you in any way from performing an audit. In many instances, having your data within a hosted environment allows for the audit to be completed sooner and with less disruption to your business as the auditing party can gain access to the data within the ‘live’ environment.

Naturally, security remains the upmost. Therefore, you want to ensure the hosting provider is SSAE16 certified as well as an approved Intuit Commercial Hosting Provider should you choose to have your QuickBooks hosted. Many of the approved Commercial Hosting Providers can also provide you with their most recent SOC reports for your review. Additionally, when considering migrating to a hosted environment implementation of the provider's infrastructure is pivotal as poor design can be catalyst to increased downtime and poor performance.

In researching various commercial providers, I have found Right Networks to offer the most reliable and scalable solution.