CSA Drafts New SOC Position Paper

Phil Agcaoili, Founding Member, Cloud Security Alliance

David Barton, Principal, UHY Advisors


In June 2011, the American Institute of Certified Public Accountants (AICPA) eliminated SAS 70 which had been a commonly used reporting standard within the information technology industry for providing third party audits of controls.  At that time, the AICPA introduced three Service Organization ControlSM (SOC) reporting options intended to replace SAS 70; SOC 1 (and the associated SSAE 16 guidance), SOC 2, and SOC 3.

The new AICPA reporting framework was created to eliminate confusion in the marketplace for service organizations (including Cloud providers) wishing to provide their customers with third party assurance on their controls.   Part of this confusion stems from the lack of knowledge by buyers regarding the purpose of each type of available report and their intended use.

The Cloud Security Alliance (CSA) has drafted the following position paper as a means to educate its members and provide guidance on selecting the most appropriate reporting standard.

After careful consideration of alternatives, the Cloud Security Alliance has determined that for most cloud providers, a SOC 2 Type 2 attestation examination conducted in accordance with AICPA standard AT Section 101 (AT 101) utilizing the CSA Cloud Controls Matrix (CCM) as additional suitable criteria is likely to meet the assurance and reporting needs of the majority of users of cloud services.

We’d like to thank the following people for their time and energy over the past year to help develop, define, harden, and deliver this guidance that we know will help our industry—Chris Halterman (E&Y), David Barton (UHY Advisors), Jon Long (CompliancePoint), Dan Schroeder (Habif, Arogeti & Wynne), Ryan Buckner (BrightLine), Beth Ross (E&Y), Jim Reavis (Cloud Security Alliance), Daniele Catteddu (Cloud Security Alliance), Audrey Katcher (Rubin Brown), Erin Mackler (AICPA), Janis Parthun (AICPA), and Phil Agcaoili (Cox Communications).


3 thoughts on “CSA Drafts New SOC Position Paper

  1. The CCM makes SOC 2 relevant to cloud computing. Without the CCM, cloud service providers are left to define their own control activities in satisfying the SOC 2 TSPC control objectives. I hope that every CSP will adopt the SOC 2/ with CCM included as additional subject matter model to ensure comparability in the industry between vendors.

  2. Jon,

    Thank you. Your voice was heard in the process and appreciate your contributions to get to this consensus.


    Phil Agcaoili

Leave a Reply

The name and email fields are solely used to comment on posts. Cloud Security Alliance does no further processing of this data. See Section 3 of the CSA Privacy Policy for details.

Share this content on your favorite Social Network.