Audrey Katcher

Steve Ursillo

How to avoid storms in the cloud

The risks and issues organizations need to address.

April 23, 2012
by Audrey Katcher, CPA/CITP, and Steve Ursillo, Jr., CPA/CITP


If you listen to the hype surrounding cloud computing, you might believe the cloud is a virtual IT heaven, one where accounting firms and other organizations no longer have to worry about purchasing, setting up, or maintaining servers and computer networks. In the nirvana known as the cloud, organizations also don’t have to buy expensive software licenses or worry about having to install updates or patches. Instead, organizations can access all the applications, servers, and storage they need simply by contracting with a cloud provider that supplies all the technology and takes on all the IT risk.

If only it were that easy.

Fact is, although accounting firms and other organizations might shed some IT costs and purchasing risk with a move to the cloud, such a shift introduces new questions, concerns and risks that organizations need to address. Here’s a look at some of the questions you should answer before you go cloud hopping.  

What information and services would you move to the cloud? What is their significance to the company?

When you “move” to the cloud, you are outsourcing a combination of your organization’s information, applications, and services to a third party. This raises security and access concerns. For example, you might provide transactional services (e.g., online payments or payroll processing) that involve confidential data such as personal identification information and credit card numbers. Your clients or customers might expect real-time transaction processing 24 hours a day, seven days a week. You’ll need a provider that guarantees that kind of up-time while also keeping your confidential data safe from hackers. It’s crucial that you understand what you need in terms of data hosting and processing, as well as access to applications. Keep in mind, for example, that if you decide to move all of your IT processes to the cloud, then an outage by your provider would leave you unable to access any of your applications or data. How do you avoid those types of situations? Do you have in-house backup or does the provider guarantee backup? Those are questions you need to have answered.   

What does the cloud provider promise for service levels and what happens if those service promises aren’t kept?

Many cloud providers offer form contracts, which may be vague regarding service levels and may offer limited warranties and indemnities. Consider negotiating specifics with cloud providers. Establish up-time and access expectations and metrics with a service level agreement (SLA). Demand that the contract contain provisions for refunds or credits should the provider not live up to the SLA. Make sure there is an exit clause in the contract that releases your organization if the provider fails to meet contractually required performance measures. Also, get answers to these questions: Does your contract support seasonal variation in volume, or is capacity fixed? Has your provider undergone an independent controls assessment, such as a Service Organization Control (SOC) 1, 2 or 3 report? If so, what were the results? Otherwise, how do you receive confirmation that the SLA metrics in your contract are being met?

If you want or need to change cloud providers, would you be able to easily move your data and applications?

Another item to check in a cloud-computing contract: Would the terms lock you into processes or platforms unique to that cloud provider? If you move your applications and systems to a provider’s processing platform, can you easily move data and system backups to another provider if necessary? If you are using a third party’s application, is there a compatible application available in the event you need to move? Some cloud providers use proprietary interfaces. Be wary of those. They can impair your ability to walk away from a poor performing provider.

Who bears the risk for security breaches?

Some cloud providers structure contracts that place the responsibility for security with their customers. For example, one major cloud provider’s terms and conditions state that it has “no liability...for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications.” In a multi-tenant (shared) environment, how can you be sure that malicious activity affecting one tenant won’t impact your data? Make sure that your potential cloud provider is transparent about its security practices. Does the provider have an effective security environment? Does the provider provide a SOC 2 report? How does the provider manage its vendors and how does it vet its employees? Do those employees receive security training beyond an employee handbook and periodic emails?

There are many more questions and issues that organizations should address before moving forward with a cloud strategy. Here is a partial list:

  1. What are the insurance coverage risks? These often are covered under cyber-risk policies. See the article “Insurance Coverage for Data Breaches,” published in the Dec. 19, 2011, issue of the CPA Insider™.
  2. What is the Return on Investment (ROI)/Total Cost of Ownership (TCO) risk? Will paying on a per-use basis for access to software, data and processes prove to be a better bottom-line option than the traditional IT setup?
  3. Will the solution meet your organization’s functional needs? Does the agreement account for unique needs (for example, PCI compliance) and for variable use?
  4. Is the cloud provider financially stable?
  5. Does the contract address full range of your organization’s legal rights?  (Confidentiality, privacy, protecting intellectual property, limitation of liability and termination rights, data ownership, data recovery for provider change, e-discovery, and data retention).
  6. Does your organization have software licenses that prevent it from moving applications to the cloud provider?
  7. How is your organization ensuring that sustainable-security, confidentiality, privacy, processing-integrity and availability risks are mitigated?
  8. Who in the organization is managing its cloud provider relationships?
  9. How does the organization become or remain aware of the use of cloud providers through nontraditional channels, as a result of the consumerization of IT or business-department purchases of cloud services outside of standard procurement?
  10. What are the escalation procedures in case of a security/data/privacy breach?

The authors will address those issues in panel discussion, called “Managing Risks in the Cloud Environment,” at the Practitioners Symposium and TECH+ Conference in partnership with the Association for Accounting Marketing Summit. The conference will run June 11-13 at the Aria in Las Vegas.

Rate this article 5 (excellent) to 1 (poor). Send your responses here.

Audrey Katcher, CPA/CITP, is a partner in the St. Louis office of accounting firm RubinBrown. Steve Ursillo Jr., CPA/CITP, is a partner and director of Technology & Assurance Services at West Warwick, R.I.-based Sparrow, Johnson & Ursillo. David Richert, CPA, a manager at RubinBrown, contributed to this article.