Cloud computing is disrupting CPA firms, their clients and the traditional norms of the external audit and quality control. Therefore, CPAs need to be on their guard.
By definition, cloud computing is defined as a means for enabling on-demand access to shared pools of configurable computing resources (e.g., networks, servers, storage applications, services) that can be rapidly provisioned and released. Popular cloud deployment models include private clouds, public clouds, hybrid clouds and community clouds, while cloud service provider (CSP) services include Infrastructure as a Service (IaaS), Software as a Service (SaaS) and Platform as a Service (PaaS).
By going to the cloud, essentially you are extending beyond the company's hosting of the software on premise (four walls) and controlling access to the company's network and data the old fashioned way. However, current security models are not designed to accommodate the growing virtual nature of the extended enterprise, which creates a conflict either by limiting a company’s ability to conduct business or by putting the business at risk.
Continued investment in traditional approaches to security will be prohibitively ineffective and costly. New approaches to securing the enterprise that are aligned with today’s corporate environment are critical to maintain both an acceptable level of risk and a manageable cost.
CPAs will need to make selective changes to accept cloud-computing-related engagements, such as training staff, securing subject experts, and protecting the privacy of client data accessed through clients and their CSP clouds and stored on the CPA firm’s clouds.
Audit clients who move some or all of their accounting systems to public clouds introduce complexity, disruption and risk. For example, a cloud computing environment often integrates third-party CSPs, and potentially fourth-party sub-contracted CSPs, into the client’s accounting system and control environment. This creates a complex web of CSPs that results in shared responsibilities between the client and CSPs for financial accounting data, cybersecurity and internal control over financial reporting (ICFR), service organizations control (SOC) reporting and assurance services.
Such material changes to the control environment and accounting system require auditors to obtain an understanding of the company’s environment and risks as a basis for assessing the risk of material misstatement (RMM) of the financial statements. CSPs provide SOC internal control reports (SOC 1, SOC 2, SOC 3 and SOC for Cybersecurity) on the third-party services provided by them.
Cloud computing also impacts CPA assurance providers in several ways, such as obtaining an understanding of the audit client’s cloud environment; identifying and assessing the RMM; defining the role to be served by SOC reports; and assessing the impact of the client’s and the firm’s cloud computing activities on the firm’s compliance with generally accepted auditing standards (GAAS) Quality Control Standards.
In its 2020/21 request for comment, the AICPA Auditing Standards Board (ASB) recognized that “Rapid developments in technologies are having a profound effect on audit and assurance engagements, including the use of automated tools and techniques and changes in how engagement teams are structured and interact.” They also noted that to “keep our standards relevant in a changing environment,” the ASB commits to monitoring the use of innovative technologies and determining whether the standards in place for the acceptance of clients and service performance are appropriate.