Cloud providers typically offer assurance to their customers in the form of Service Organisation Controls reports (SOC1, SOC2 and SOC3). Cloud providers commission independent auditors to write these reports to provide assurance on their processes and security arrangements. Management needs clarity on the assurance these reports provide and where there may be controls gaps or areas where further assurance is needed. External auditors will also wish to have sight of these reports as part of the annual audit.
Questions audit committees could ask:
• Does management understand the general scope and limitations of different Service Organisation Controls reports? Is assurance required to cover financial reporting (SOC1) or wider operational controls (SOC2)? Is a publishable public-facing report (SOC3) needed? Does the report provide a view on the cloud provider's latest penetration test or vulnerability assessment report?
• Is management clear on the scope of controls tested and the extent of testing? Is the service auditor a recognised firm? What additional controls or assurance is needed to cover internal processes and systems? If there are weaknesses or gaps in the cloud provider's controls, are there additional steps which management should take to strengthen internal controls? Should management obtain further assurance on the overall operating model?
• Do Service Organisation Controls reports give assurance on the success of operational controls over time? Are Type 2 reports available which test the controls over time rather than simply documenting them? Does management have a way of monitoring any changes in key controls between reports?
• Are Service Organisation Controls reports frequent enough to keep pace with continuous improvement? Is there a mechanism to allow management to continuously monitor compliance with key controls? Is there a trigger clause to oblige the cloud provider to obtain a new report if it makes significant changes to its systems or controls?
• Does management carefully scrutinise Service Organisation Controls report findings? Even if the report gives an 'unqualifed opinion', are there any exceptions noted? What is the quality of the cloud provider's responses to any exceptions raised?