e ar

at r

ticl
u
e
fe

Cloud Software: How to Validate

Third-Party Vendors
Kurt Fanning

INTRODUCTION INTERNAL CONTROL

The increased outsourcing of applications and
One of the more data processing by firms raises an important Assessing the
important changes issue: How should you validate the actions of the internal control of
occurring in the work- third-party vendors? The Sarbanes-Oxley Act and a service provider is
place is the outsourcing other compliance issues require some form of an important issue
of applications and because investors
judgment of those actions. This article explains
data processing nor- and lenders rely on
mally done internally the authoritative guidance for reporting on such the external auditor’s
by the firms. Increas- service organizations. The author looks at assess- attestation regard-
ingly, this is occurring ing the validity of the service provider’s internal ing a firm’s financial
by firms using third- control, privacy compliance, and other aspects statement. In our
party vendors through from both the user’s and deliverer’s point of view. more complex world
some form of cloud © 2014 Wiley Periodicals, Inc. with perhaps 50 to
computing. Histori- 75% of the process-
cally, straightforward ing of the transac-
repetitive tasks, such as payroll deal with a changing environ- tions outside of the firm, the
and taxes, have long been a ment. This article addresses the issue of the reliability of the
mainstay to be outsourced to a important issues of assessing the third-party vendors is increas-
service provider. Now, almost all validity of the service provider’s ingly important. The big ques-
possible tasks have some viable internal control, privacy compli- tion is how to make the system
third-party vendor available to ance, and other aspects of these of determining both the strength
offer that service over the cloud. outsourced activities from both of the service provider’s inter-
Thus, service providers offering the user’s and deliverer’s point nal control and the accuracy of
processes such as customer rela- of view. This article provides their processing skills work effi-
tions management, sales force information and recommenda- ciency and effectively.
transactions, human resources, tions to those responsible for Decades ago, firms handled
and general accounting on the dealing with Statement on Stan- the issue of verifying the work
cloud have all grown exponen- dards for Attestation Engage- of these third-party vendors by
tially. ments (SSAE) 16, International exchanging letters between the
With this fundamental Standard on Assurance Engage- external auditors of the firms. In
change in the way of doing ments (ISAE) 3402, and other some extreme cases, the external
business, ancillary issues have issues surrounding using service auditor of one firm sent per-
come to the forefront as firms providers. sonnel to examine the internal

© 2014 Wiley Periodicals, Inc.

Published online in Wiley Online Library (wileyonlinelibrary.com).
DOI 10.1002/jcaf.21968 25
26
control at the service provider.
With most process and transac-
tions still maintained in-house,
the auditors were comfortable
with this system.
As the amount of outsourc-
ing and cost of using auditors
increased, an alternative to this
process needed to emerge. This
process was started in 1982 at
a limited level by the American
Institute of Certified Public
Accountants (AICPA) with their
Statement of Auditing Stan-
dards (SAS) 44, Special Purpose
Reports on Internal Accounting
Control at Service Organiza-
tions. A more thorough solution
was offered when the AICPA
issued SAS 70, which was issued
in 1992 and later modified in
2005. It offered a viable solution
to this issue of internal control
verification of the third-party
vendors that lasted for almost 20
years.
A decade later, in 2002,
Sarbanes-Oxley legislation was
passed by Congress. At the front
and center of Sarbanes-Oxley
were sections 302 and 404, which
required every publicly traded
company to provide a written
judgment on the status of their
internal control. This has also
affected private companies, since
they have mainly also followed
this policy of providing a written
judgment of their internal con-
trol. Sarbanes-Oxley increased
the importance of SAS 70 and
made all companies aware of
their need to understand and use
SAS 70.
As the importance of SAS
70 grew, it developed shortcom-
ings and possible abuses that
needed to be addressed. In 2011,
SSAE 16 replaced SAS 70, thus
solving many of these short-
comings. At the same time, the
AICPA also addressed the issue
of being congruent with interna-
tional standards by attempting
DOI 10.1002/jcaf
The Journal of Corporate Accounting & Finance / July/August 2014
to coordinate with ISAE 3402.
Thus, SSAE 16 is an important
document for firms to under-
stand and abide by in their work.
SSAE 16
SSAE 16 was issued by
the Auditing Standards Board
(ASB) of the AICPA in 2011. It
specifically replaced SAS 70 and
is intended to work with ISAE
3402. It is also known as service
organization control (SOC) 1.
Along with the SSAE 16 are two
different levels of service orga-
nization controls reports, SOC
2 and SOC 3. SOC 2 focuses on
the privacy issues, among oth-
ers, and is restricted to certain
users. SOC 3 covers the AICPA
SysTrust and WebTrust offer-
ings from more of a marketing
perspective.
SSAE 16 (SOC 1) reports
exist because it is impossible for
a public company to audit every
one of the service companies
that they use. SSAE 16 reports
provide third-party vendors a
means to provide the audited
documentation that is neces-
sary for their clients to meet the
internal control requirements
of Sarbanes-Oxley. To meet
Sarbanes-Oxley requirements on
the customers’ end, the custom-
ers needed independent valida-
tion from a CPA firm that third-
party vendors’ internal processes
and controls are sound and
working as intended. In some
cases, without an SSAE 16 audit
report, the client may be forced
to use other vendors, thus losing
business for the deliverer from
that particular customer or pros-
pect. However, with a working
SSAE 16 audit report, the third-
party vendor has an important
marketing tool to differentiate
it from other competitors who
may not have it. Thus, SSAE
16 was doubly important. First,
it was a way for firms to avoid
auditing their service providers.
The firms can use the report
created under SSAE 16 to meet
their internal control compliance
issues. Second, the SSAE 16
report also lets service providers
be more desirable to their poten-
tial clients.
An SSAE 16 report is not a
certification, since guidelines for
a universal certificate for validat-
ing internal control at service
providers would be difficult to
come by in practice. With all
the possible individual different
issues that could affect the inter-
nal control system, a one-size-
fits-all certificate is probably not
possible. Rather than undertake
such a difficult approach, SSAE
16 gives guidelines to creating a
report that will provide auditor-
to-auditor communication
regarding the service provider.
This provides the auditors of
the clients of service providers
with a detailed report about the
controls at a third-party vendor’s
organization. Special attention
is paid to those parts of the ser-
vice provider system that would
affect the user’s judgment of its
internal control.
The resulting report can be
performed only by a CPA or
CPA firm. However, portions
of the readiness assessment and
control design can be performed
by non-CPA firms with the
experience to do so. Still, it is a
specialized niche, with a high
cost tag associated with the pro-
cess.
All of the reports generated
through the SSAE 16 process
include a detailed description
of the service organization’s
system. The auditor of the user
of the service provider uses
this detailed report to deter-
mine how their client’s service
organization’s system internal
controls apply to the client’s own
© 2014 Wiley Periodicals, Inc.
The Journal of Corporate Accounting & Finance / July/August 2014
internal control. Ideally, with a
positive SSAE 16 report, it can
then judge the client’s internal
control, including the parts out-
sourced, to be acceptable.
SSAE 16 reports come in
one of two types: Type I or
Type II. Both types rely on the
service provider’s management’s
description of their controls.
The scope of each type of
report is similar to that used
for Types I and II under the old
guidelines of SAS 70. In a Type
I audit, the auditor primarily
makes inquiries about the ser-
vice provider and observes their
transaction processing and con-
trols for a single point in time.
The auditor in a Type I report
makes no actual testing of the
service provider’s controls. Thus,
the Type I report states whether
a service company’s internal
controls are fairly and com-
pletely described and whether
they have been adequately
designed to meet their objectives
at a certain point in time. This
usually is a specific date, such as
June 30.
The Type II report does the
same thing as a Type I report
but actually tests the controls in
operation over a certain stated
time period as opposed to a set
date, as in Type I. Thus, a Type
II report is more thorough and
requires more time and effort
than a Type I. What is included
in the assessment report under
either a Type I or Type II audit
depends on the needs of the
user of the service provider. The
audit is normally directed to
focus on how the service pro-
vider’s internal control impacts
the user’s operations.
The SSAE 16 report for
both types will include the fol-
lowing recommended areas. The
first item will be the auditor’s
opinion letter, also called the
Independent Service Auditor’s
© 2014 Wiley Periodicals, Inc.
Report, which states whether
the auditor believes the controls
are adequate. This is followed by
descriptions of the services the
service vendor provides to the
client. Then the report covers
the status of the control environ-
ment, risk assessment process,
management information and
communication systems, general
controls, application controls,
and monitoring procedures.
Finally, the report covers any
user control considerations and
other relevant information nec-
essary for the report.
The actual audit process
includes reviewing the control
objectives and control activities
at the service provider to verify
that they exist and are designed
as described. The auditors will
obtain samples of documents or
reports to support each control
activity. For a Type II assess-
ment, the auditors actually test
the effectiveness of the controls
to determine whether they can
reasonably meet the control
objectives they were designed to
meet. Thus, a Type II audit con-
sists of inquiry, observation, and
testing of transaction processing
and controls that were in place
over, for example, a 6-month
period. The Type II audit pro-
vides the control validation
through testing that is most
often sought after by clients and
prospects. While the Type II
comes with a much higher cost,
it is the one primarily chosen,
since it usually meets the needs
of the user.
New in SSAE 16 over SAS
70 is a requirement that auditors
use suitable criteria for evaluat-
ing the overall system of the
service provider. Different stan-
dards could be used to provide
those criteria, depending on the
type of services the company
provides. Possible frameworks
include Information Technology
27
Infrastructure Library (ITIL),
Committee of Sponsoring
Organizations of the Treadway
Commission (COSO), Control
Objectives for Information and
Related Technology (COBIT),
or International Organization
for Standardization (ISO) 27001.
The criteria used must be speci-
fied in the management attesta-
tion section of the report. The
minimum suitable criteria are
specified in SSAE 16. Another
change from SAS 70 was the
disallowance of auditors’ using
evidence collected during prior
audits. This was previously done
to reduce the extent and time
consumption of the testing.
Now auditors may not use this
evidence from prior engage-
ments about the satisfactory
operation of controls.
Another major change from
SAS 70 is SSAE 16’s require-
ment of several management
attestations. In SSAE 16, man-
agement is required to attest that
the description of the system
fairly presents the system that
was designed and implemented
during the period covered by the
assessment for a Type II or at a
point in time for a Type I. Man-
agement must also attest that the
controls related to the control
objectives stated in that descrip-
tion were suitably designed dur-
ing that period for a Type II
or at that point in time for a
Type I to achieve the firm’s con-
trol objectives. Finally, manage-
ment must attest for Type II
assessments that the controls
operated effectively throughout
that period. The fact that man-
agement must now make these
attestations further highlights
the management of the service
provider’s full responsibility for
its own controls. It also fully
aligns SSAE 16 with the require-
ments of Sarbanes-Oxley. Sar-
banes-Oxley requires companies’
DOI 10.1002/jcaf
28
management to make attesta-
tions about the veracity of their
internal control, and SSAE 16’s
attestation requirements for
service organizations also helps
keeps this accountability in place
for all service providers.
A topic deserving of longer
discussion than is available in
this article is how subservice
providers are provided for in
SSAE 16. The service provider
itself may use service providers
to accomplish their processing
of data. This raises the issue
of how this should be handled
in an SSAE 16 audit. If the
services subject to the original
SSAE 16 assessment include
another service provider, a sub-
service organization, it is usu-
ally handled in one of two ways.
Either the inclusive method or
the carve-out method is used
in the audit. In SSAE 16, the
inclusive method requires the
subservice provider’s manage-
ment to provide assertions
similar to those required of the
service provider. The inclusive
method includes the subservice
provider’s controls just as if
the controls were the service
provider’s. If such assertions
can’t be obtained, the carve-out
method is used. A carve-out
assessment excludes the subser-
vice provider’s controls. With a
carve-out assessment, the cus-
tomers would probably want to
obtain the subservice provider’s
own SSAE 16 report. This can
be a complex issue and can
hopefully be decided in a man-
ner that is best for the original
client. However, firms explor-
ing being involved in SSAE 16
audits should be aware of this
issue.
In an actual SSAE 16 audit,
the auditing firm spends about
one to four days at the client site
performing field work. While
it is possible to gather offsite
DOI 10.1002/jcaf
The Journal of Corporate Accounting & Finance / July/August 2014
information, a visit by the CPA
firm is usually necessary. Usu-
ally, one to three auditors will
be required on-site during the
audit. The number depends
on such factors as timing of
the audit and complexity of
the control environment. Most
final reports can be delivered
between 45 and 90 days. It is not
an inexpensive audit, with the
costs depending on the needs of
the audit.
For current users of ser-
vice providers, the intricacies
of SSAE 16 are well traveled
by now. For potential users of
service providers, the CPA firms
offering SSAE 16 audits are
capable of leading the poten-
tial clients through the process.
However, firms thinking about
dealing with an SSAE 16 audit
should be thinking about taking
the following actions. The firms
should review their current ser-
vice contracts to ensure that the
system descriptions are complete
and accurate and review their
existing controls and activities
to ensure they are adequate
and operating effectively. The
firm should also think about
their ability to provide evidence
for each control activity to the
SSAE 16 auditor.
ISAE 3402
SSAE 16 was issued shortly
after ISAE 3402. The authors
of SSAE 16 deliberately tried to
link the accounting standards
of those in the United States
covered by SSAE 16 with those
covered by the globally accepted
principles in ISAE 3402. Thus,
SSAE 16 and ISAE 3402 are
very similar in detail, but there
are some differences. There is
only limited risk of an SSAE
16 report’s not also meeting the
ISAE 3402 standards. But on
that rare occasion, a firm may
also need a separate report for
that ISAE 3402 standard.
ISAE 3402, The Interna-
tional Standard on Assurance
Engagements, was issued by
the International Auditing and
Assurance Standards Board
(IAASB), a standard-setting
board within the International
Federation of Accountants
(IFAC). ISAE 3402 is the glob-
ally recognized standard for
assurance reporting on service
organizations. It was intended
to provide a globally accepted
framework that would replace
SAS 70, the prior de facto
standard. Similar to SSAE 16,
ISAE 3402 requires manage-
ment to provide a description
of its system. In addition, it
requires a written statement
of assertion by management
regarding the state of its inter-
nal controls.
ISAE 3402 reports are also
either a Type I or a Type II
report. If service organizations
decide to utilize the ISAE 3402
framework for reporting on
controls, they should seek out a
well-qualified CPA firm to assist
in these matters. Additionally,
an ISAE 3402 Readiness Assess-
ment should be undertaken to
ensure that service organizations
are aware of the changes nec-
essary for complying with the
ISAE 3402 standard.
SOC 2
In addition to SSAE 16
(SOC 1), another important
report exists to provide infor-
mation to a service provider’s
users. This is the SOC 2 report
that is based on the trust ser-
vice principles and performed
under the AICPA attestation
standard, AT 101. Unlike the
SSAE 16 (SOC 1) audit that is
intended to be an auditor-to-
auditor communication, SOC
© 2014 Wiley Periodicals, Inc.
The Journal of Corporate Accounting & Finance / July/August 2014
2 is a user-restricted report that
is issued at the discretion of the
provider. Those interested in
obtaining such a report include
management, regulators, sup-
pliers, and others needing such
information. Many entities out-
source tasks or entire functions
to service organizations that
operate, collect, process, trans-
mit, store, organize, maintain,
and dispose of information for
user entities. SOC 2 was created
to provide assurance over nonfi-
nancial controls, as opposed to
SSAE 16, which provides assur-
ance over financial controls.
Specifically, SOC 2 examines
and reports on the security,
availability, processing integrity,
confidentiality, and privacy of
the service provider’s system.
Some examples of service pro-
viders that might need an SOC
2 report include Software as a
Service (SaaS) providers, data
centers, document producers,
and data analytics providers.
When looking at a system’s
security for SOC 2, the auditor
is primarily checking whether
the system is protected, both
logically and physically, against
unauthorized access. The main
issue examined on systems avail-
ability is whether the system is
running and accessible to its
clients as committed or agreed
to in its contracts. When check-
ing on processing integrity, the
auditor is primarily concerned
with the service provider’s abil-
ity to produce properly autho-
rized, complete, accurate, and
timely information. Finally, the
two main uses of the SOC 2
report are verifying the service
provider’s system’s ability to
protect its confidential informa-
tion and its ability to abide by
applicable privacy laws. These
privacy laws include such pri-
vacy principles as those put
forth by the AICPA and the
© 2014 Wiley Periodicals, Inc.
Canadian Institute of Chartered
Accountants (CICA).
When assessing the trust
service principles that SOC 2
is based on, auditors are
focused on four broad areas:
Policies, Communications,
Procedures, and Monitoring.
Each of the four principles
criteria are defined within the
SOC 2 guidelines. The auditor
must find proof of adherence
to these principles to produce
an unqualified opinion. The
valuable aspect about the trust
principles is that the criteria are
already predefined in the guide-
lines. Thus, the service provid-
ers can take steps to meet them
in advance of the audit.
Service providers are not
required to address all the
principles involved in SOC 2
guidelines. SOC 2 reports can
be limited only to the prin-
ciples that are relevant to the
outsourced service providers.
An organization at the heart
of cloud computing, the Cloud
Security Alliance, issued a posi-
tion paper regarding SOC l, 2,
and 3 reports. In the position
paper, they determined that an
SOC 2 would be sufficient for
most cloud providers.
SOC 3
The final report, the SOC 3
report, is similar to the SOC 2,
the main difference being that
an SOC 3 report can be freely
distributed and is primarily
designed as a marketing tool for
the service provider.
The SOC 3 report shows
only that the service provider
meets the trust services criteria.
It provides no description of
tests and results or opinion on
description of the system as
provided in SOC 2. Because the
SOC 3 report lacks any detailed
information, it can be issued
29
only as a Type II report. SOC 3
reports can be issued on one or
several of the trust services prin-
ciples: security, availability, pro-
cessing integrity, confidentiality,
and privacy. Completion of an
SOC 3 report grants the service
provider the ability to display
an SOC 3 (SysTrust) seal on its
website.
The trust service principles
at the heart of SOC 3 were
designed with a focus on e-com-
merce systems. They were built
on the existing AICPA offerings
in this area, WebTrust and Sys-
Trust. The WebTrust certifica-
tion is a seal of approval regard-
ing a business’s e-commerce
site. WebTrust is founded on the
principles of privacy, consumer
protection, and certification
authority. The privacy aspect
assures that the audit is based
on the prevailing online privacy
principles and criteria. WebTrust
provides consumer protection
by assessing processing integrity
and the relevant online privacy
principles. Finally, WebTrust
bases its scope on specific prin-
ciples and related criteria unique
to certification authorities. In
essence, the service provider is
purchasing a seal of approval
regarding its e-commerce opera-
tions.
SysTrust is a more intense
review of the operating system
and indicates whether the ser-
vice provider meets the desired
criteria. Among the major issues
for a SysTrust review is whether
the system is protected against
unauthorized access (both physi-
cal and logical). Other issues
include keeping information
confidential and correct process-
ing of information.
SOC 3 is primarily a market-
ing tool for the service provider.
If the service provider has met
the criteria for WebTrust or
SysTrust, then the SOC 3 report
DOI 10.1002/jcaf
30 The Journal of Corporate Accounting & Finance / July/August 2014

will be a positive report for it to
achieve.
CONCLUSION
This is a complex topic
that should be discussed with
the CPA firms involved in the
process. Deciding which SOC
is appropriate and meeting
the required criteria can be a
daunting task. An excellent
starting place for additional
information on these topics
is the AICPA website. There
are specialized pages available
for the Service Organization
Controls and SysTrust and
WebTrust. Other vendors have
their own websites on these
topics that would be invalu-
able for making comparisons
on many of the issues in this
article.

Kurt Fanning, PhD, CPA, CMA, CIA, CISA, is an associate professor at Grand Valley State University. Kurt
has written articles for publication in scholarly journals such as International Journal of Intelligent Systems
in Accounting, Finance and Management, Accounting, Journal of Corporate Accounting & Finance, New
Review of Applied Expert Systems and Emerging Technologies, and Financial Studies Journal. His primary
teaching and research interests are in management fraud and accounting information systems.

DOI 10.1002/jcaf © 2014 Wiley Periodicals, Inc.

Copyright of Journal of Corporate Accounting & Finance (Wiley) is the property of John
Wiley & Sons, Inc. and its content may not be copied or emailed to multiple sites or posted to
a listserv without the copyright holder's express written permission. However, users may
print, download, or email articles for individual use.