What is the role of SOC reports in achieving the objectives of the CSA?
First, what is the CSA? The CSA is the acronym for the Cloud Security Alliance, which is a “not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing.” It’s an excellent and well-respected organization that helps cloud providers and users of cloud services have more secure experiences.
So what does the CSA have to do with the AICPA? Well, nothing directly, but indirectly both organizations have a responsibility to the public and this is where their objectives converge. As cloud services have grown over the years, user organizations (see post on Terms here) have come to demand that service organizations provide some independent representations on the internal controls related to the services they are providing to others. This is where the AICPA and SOC reports come in to play. These reports are designed to report on the controls—ICFR for SOC 1 (formerly SSAE 16) and Non-ICFR for SOC 2—within the service organization. These reports provide a certain level of assurance that is beneficial for users of their services as well as user auditors. The following statement has been issued by the CSA: “The CSA has determined that for most cloud providers, a type 2 SOC 2 attestation examination conducted in accordance with AT section 101 of the AICPA attestation standards is likely to meet the assurance and reporting needs of the majority of users of cloud services, when the criteria for the engagement are supplemented by the criteria in the CSA Cloud Controls Matrix (CCM).” In fact, the CSA and AICPA put out a joint paper on the CSA’s position on SOC audit reports, which can be found here.
With all of the commerce and other types of transactions and information that traverse the Internet, it is useful that there are organizations such as the CSA, AICPA, and many others, which are focused on serving the public’s interests. While nothing will ever give complete assurance as to the internal controls for a service organization, SOC audit reports go a long way to providing a level of assurance that is acceptable to most people and organizations.
 CSA Position Paper on AICPA Service Organization Control Reports, February 2013.