What is the Cloud Security Alliance (CSA) and how is it related to the American Institute of Certified Public Accountants (AICPA) and SOC 2 reports? As a professional who works mainly on SOC 1 and SOC 2 audits, I find that this question is being asked more frequently by clients and prospective clients.
The short answer to this question is that these two organizations have no direct connection to one another. Indirectly, both organizations have a responsibility to the public, and that is where their objectives converge. These organizations have programs that evaluate the internal controls in place at a service organization, specifically the security of data in the cloud. As a result, many service organizations may be asked about compliance with programs and/or regulations issued by both organizations. In this post, we will dive deeper into the CSA and how its objectives overlap and differ from those of the AICPA, and SOC 2 reports specifically.
A Closer Look at the Cloud Security Alliance (CSA)
In their own words, the CSA is, “the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products.”
The CSA is a well-respected organization amongst cyber security professionals that helps cloud providers and users of cloud services educate themselves on secure practices which they can then implement. The CSA was founded in December 2008, and in 2009, it issued its first best practices for cloud computing. Since then, the CSA has continued to grow all over the world and build on its best practices for cloud computing with the help of its members, subject matter experts, and other associations. The CSA offers training, research, events, programs, and program tools to its members and other external users in search of information regarding cloud security.
Does the CSA Have Certifications?
In addition to educational resources, research, and training, the CSA also offers professional certificates. Currently, the CSA offers the following certificates focused on cloud security fundamentals and auditing:
- The Certificate of Cloud Security Knowledge (CCSK) focuses on the fundamentals of cloud security and effectively securing data in the cloud. It is a computer-based exam that evaluates the student’s understanding of security issues and best practices as they relate to cloud computing.
- The Certificate of Cloud Auditing Knowledge (CCAK) is one of the first certifications available to professionals that focuses on auditing cloud computing systems.
- The Certificate of Competence in Zero Trust (CCZT) is focused on the Zero Trust security principles.
What is the CSA STAR Program?
STAR stands for Security Trust Assurance and Risk (STAR). The STAR Program is a control framework issued by the CSA that covers the security of data in the cloud. It is applicable to Cloud Service Providers, and the CSA maintains a registry that lists the providers that are STAR-certified. The STAR registry documents the Companies, the levels of the STAR Program that they have completed, and the controls related to security and privacy provided by their cloud computing offerings. The CSA offers various resources or “tools” on the STAR program, including the Cloud Controls Matrix (CCM), which is the framework used to evaluate security controls related specifically to the cloud.
What Does the CSA Have to Do with the AICPA?
The answer is, nothing directly. Indirectly, both organizations have a responsibility to the public and this is where their objectives converge. As cloud services and the use of third-party applications have grown over the years, user organizations have come to demand that service organizations provide some independent representations on the internal controls related to the services they are providing to others. This is where the AICPA and SOC reports come into play. These reports are designed to report on the service organization’s internal controls over financial reporting (SOC 1) and controls applicable to the trust services criteria (SOC 2). These reports include IT general controls and other controls focused on data security, availability, confidentiality, processing integrity, and privacy depending on the scope of the report.
Another reason the AICPA and CSA may come up in the same conversation is that the CSA STAR certification Level 2: Third-Party Audit, specifically STAR Attestation, aligns with a SOC 2 report. The CSA STAR Attestation, “is a collaboration between CSA and the AICPA to provide guidelines for CPAs to conduct SOC 2 engagements using criteria from the AICPA and the CSA Cloud Controls Matrix.”
In practice, this means that if an organization is undergoing a SOC 2, it can typically leverage the controls tested to also obtain STAR Attestation in the STAR Program. There are requirements that the CSA requires for organizations conducting level 2 assessments and one is that they must be certified to perform either SOC assessments by the AICPA or to perform ISO/IEC 27001:2022 assessments by an appropriate ISO certification body.
Summary
The CSA and the AICPA are organizations that aren’t directly related, but they both have programs with control frameworks that overlap. This is why both organizations and their related programs, SOC 2 and STAR Attestation, may come up in the same conversation with a service organization or their user entities. The CSA provides cloud providers and users of cloud services with educational resources, training, and professional certificates, similar to the AICPA as well. Lastly, the CSA and AICPA have collaborated for the CSA STAR Attestation which overlaps with the SOC 2. With the amount of information and personal data that traverses the Internet, it is useful that there are organizations such as the CSA, AICPA, and many others, which are focused on serving the public’s interests.
If you have further questions regarding CSA STAR or SOC audits, please contact us to get in touch with one of our experienced professionals.
This article was originally published on 10/30/2019 and was updated on 9/11/2024.
Megan Kovash works primarily on SOC audits with experience in financial audit and internal audit as well. Megan started her career in January 2012 after completing her Masters of Accountancy with the University of Denver. She worked in the Risk Assurance group at Ernst & Young, then moved to the Internal Audit Data Analytics group at Charles Schwab. She is now a Partner at Linford & Co., LLP. Megan enjoys working with clients and coworkers to find and implement solutions to better her client’s business.