What CPAs Need to Know About Cloud Computing and Privacy

by Susan Firriolo, CPA, CITP, CGMA, CISA, owner, Tax Correspondence Service, Inc. | May 29, 2020

The current COVID-19 pandemic has upset the work environment for most organizations — office work has shifted to remote form and in-person meetings are all made by appointments to virtually connect. This move to conduct business in the cloud requires sharing information with staff all over the place, and others in a convenient, efficient, and safe way. Behind the scenes working in the cloud or cloud computing requires platforms, applications, and portals.

What’s the best way to work in the cloud? Here are three ways:

  • Platform as a Service (PaaS) connects applications and data bases with files. It is a cloud platform that houses services to develop applications and is accessed through a portal.
  • Software as a Service (SaaS) allows your organization access to cloud-based applications over the internet. A cloud portal is the doorway to the cloud platform. Public portals are operated by subscribing to software which allows users to access the cloud platform. 
  • Infrastructure as a Service (IaaS) gives access to networks, computers, and data storage. The host provider manages the hardware while you manage your own applications and operating systems.

Know the Risks

Although convenient and efficient, cloud computing has security risks. These risks include economic loss, personal suffering, and other problems upon a service breach. It is a challenge to design and operate cloud systems or adopt a software system in the cloud. Data collection, processing, storing, and the disposing of information policies needs to be updated with processes that apply to your cloud technology. Privacy needs and complicated laws affect organizations differently. However, a strong privacy program including written policies and awareness training, can help manage problems. 

That said, data privacy, and protection are not synonymous. Data privacy in the cloud is a legal matter disclosing what data you are collecting and what you plan on using it for. Data protection in the cloud is a technical matter about safeguarding data against unauthorized access. You cannot ensure data privacy unless you give users more control of the data you collect. If data is not protected, its privacy cannot be guaranteed.  On the other hand, data can be protected but may not necessarily be kept private.

In order to address the challenges of protecting data and privacy in the cloud, you can perform a privacy risk assessment. A privacy risk assessment figures out your organization’s level of acceptable risk and is like any other risk assessment which includes a process for identifying and evaluating risks. However, a privacy risk assessment is unique because there are no resources providing guidance when it comes to protecting privacy.  It is also hard to intermingle a privacy risk assessment with an organization’s general risk assessment.

A way to perform a privacy risk assessment is to informally involve users by questioning concerns they have about their data. Create transparent policies and do not gather more information than you need. Policies should address user concerns about how you are using and protecting their data. But keep in mind as legal requirements expand and new breaches occur, policies may need to be modified or added.


Susan  Firriolo

Susan Firriolo

Susan Firriolo, CPA, CITP, CGMA, CISA, is president of Pet Rescue 990 Project. She is a leader of the Technology Work Group within the NJCPA Accounting & Auditing Standards Interest Group and is a member of several other NJCPA interest groups, including Emerging Technologies, Business & Industry Professionals, Federal Taxation and State Taxation. She also serves on the NJCPA Content Advisory Board.

More content by Susan Firriolo:

Learn more from Susan Firriolo:


Leave a comment