Datacenters Do Not Need a SOC 1 Just Because They Host a Financially Relevant Application

I have heard on more than one occasion that a datacenter was told by their service auditor that they need an SSAE 16 (SOC 1) report because they are hosting applications that are relevant to their customer's financial reporting.

Okay, well what if the datacenter does not have logical access to the server?  What if backup processes are controlled by the client?  Then we are left with physical access, and environmental controls.

I have walked through the types of scenarios that would need to occur before these kind of controls could have any relevance to financial reporting, and have demonstrated that it is unreasonable to conclude that they are ICFR domains.

I would like to challenge anyone out there to take a control from such a datacenter's SOC 1 report and walk through a scenario to demonstrate how the absence or failure of that control could impact their customer's financial statements.  You can leave a comment on this post, or upload your analysis here.

21 comments:

  1. Have you ever performed an IT audit as part of a financial statement audit of a public company that is subject to Sarbanes-Oxley?

    ReplyDelete
    Replies
    1. Over 10 years with Big-4, and hundreds of SOX clients and almost none of them required physical security testing other than basic access to the data center and their backup storage/encryption process (in case the tapes were accessible within the data center), assuming you have appropriate logical controls in place to restrict admin access.

      Remember, just because it was in CobiIT Lite, doesn't mean it was necessary. That only applies to the people who didn't actually read the guidance where it says that you have to apply those controls that are relevant to your particular business. I think there are something like 130 controls listed there. For a standard SOX IT General Controls review I'd say you could handle the high-risk areas easily in under 30, and focusing only on Security, Change Management, and Backup & Recovery. The majority of the rest could be rationalized away as operational risks.

      Delete
    2. Ryan, so do you agree that datacenters do not need SOC 1 reports if they do not have logical access, or manage backups for their customers?

      Delete
  2. Yes. I was an independent contractor for several large tier 2 CPA firms and performed management testing as part of a financial statement audit preparation. We used the CoBIT for SOX framework that included physical security and environmental controls in years 1 through about 3 of SOX compliance, but they were eliminated from scope from year 4 onwards because of the low risk nature of those controls. It is my understanding that only the Big 4 continue to resist eliminating them from scope.

    This is probably why we see the reluctance of the market to move away from SAS 70. I said SAS 70 there on purpose. Nothing has changed with SOC reports. The market was and still is very comfortable leaving non-ICFR controls in these reports so that those who do not know any better rely on them for non-ICFR assurance.

    The market will never move to SOC 2 unless they are forced to remove security and availability related controls from their SOC 1 reports, and put them in a SOC 2.

    ReplyDelete
    Replies
    1. Last time I checked, the big 4 audit firms controlled a sound 98% market share of companies with over $1 billion in annual revenue. To trivialize their standards of practice and make it seem like they are in the minority would be akin to asking the earth to rotate on its axis backwards. In a sampling of second tier firms back in 2004, most that I spoke to thought that IT auditors were the ones that fixed their computers when they broke, so I would find it hard for me to find them to have reached a position of thought leadership in this industry in such a short period of time.

      Availability and environmental related controls have been eliminated from SOX controls expectations by big 4 companies AND it is not something that you can opinine on in either SAS 70 or SOC 1 reports, so I'm not exactly sure why you are bringing that into the argument. With regards to physical security, it stays in based upon the premise that it is impossible to logically secure your information systems if physical access to them is not secure. To me, without physical access controls in place, I can't give an unqualified opinion of logical access controls.

      As a general rule, general IT controls will never relate specifically to ICFR controls - they are simply the foundation of controls that are pervasive across the entire environment and give financial auditors a basis for doing more application and IT-dependent manual control testing as part of their audit, rather than substantively beating a company to death.

      If someone stole your laptop or cell phone, wouldn't you worry about what they'd be able to get from it?

      Delete
  3. If someone stole my laptop, I would restore my data to my other laptop, and life would go on. They wouldn't get any data from my laptop because the hard drive is encrypted, and you can't get to my data even if you try to reset the BIOS by removing the CMOS battery.

    Physical security being a pre-requisite to logical security is not a valid argument for ICFR relevance. Take the example of my laptop being in my car. Sure, if I lock my car doors, it might prevent my laptop from being stolen, but it won't cause me to misstate my financials or file my taxes incorrectly if I have a backup of my data. The real risk is that I lose my hardware, not my data.

    You say that availability and environmental controls have been eliminated from SOC 1 reports, but I can tell you that they are alive and well and Big 4 audit firms are opining on them. I have included a link to a spreadsheet that contains examples in my blog post titled "Examples of Non-ICFR Controls in an Actual SSAE 16."

    With regard to our inability to move the Big 4. I wouldn't be so sure. I recall that they used to be called the Big 6, then they were the Big 5, and now there are 4. The bigger they are the harder they fall as we learned from the Enron story. It is precisely issues like this that cause mistrust in the market, and could even be one of the reasons the PCAOB is talking about mandatory auditor rotation again.

    Finally, your statement about IT controls never relating to ICFR specifically, and that they are foundation-ally pervasive enabling less substantive testing is mumbo jumbo designed to baffle the unintelligent. Let's talk in specific terms, rather than trying to gloss over issues. I will be happy to engage you on any examples you can offer to support your claim.

    ReplyDelete
    Replies
    1. Unfortunately your laptop analogy is flawed...

      ... From a financial reporting standpoint, the main risk is not that someone will walk into a colocation facility and walk out with a server. One of the FR risks, for example, is that they can gain logical access to a server. It can be much easier to hack a server when you have physical access, bypassing several layers of logical network security controls. If physical access is not restricted and monitored, this breach may not be prevented and may go undetected.

      Once access is established, the possibilities are virtually endless and many scenarios can result in manipulation of data that may go undetected, causing a company to potentially misstate their financials.

      As the anonymous poster mentioned, one can't opine with certainty if physical access controls are ignored.

      And you can't argue that your laptop is much less likely to be stolen locked up in your car's trunk than say left out on a park bench.

      And that's great that your laptop is secure - but many servers are not hardened to these standards. What percentage of public companies do you think have full encryption on their servers hosting financial applications?

      Additionally, many colocation facilities are more than just physical access controls & environmental safeguards. They engage in managed services and do have logical access to servers, firewalls, etc.

      I'm not arguing the need for more reliance on SOC 2's and I understand where the AICPA is coming from, but I can't agree with the statement that physical security has no impact on ICFR.

      Delete
    2. Agreed!!!!!

      Delete
  4. Mike, thank you so much for your comments. Let's walk through the Degrees of Risk Separation (DoRS) scenario in this case.

    1st Degree: A hacker gains physical access to a server hosting Oracle Financials for a publicly traded company.

    2nd Degree: The server has a DVD/CD ROM drive or a USB port allowing the hacker to insert O/S security bypass software such as John-the-Ripper, and gain administrative access to the server.

    3rd Degree: The hacker runs an Oracle script that checks for default user id / password combinations to see if any exist. Finding one, he logs in and makes a financially significant change to G/L balance.

    4th Degree: The material G/L balance change is not caught during financial statement preparation, and causes a material misstatement.

    To reasonably be considered ICFR, I draw the line at 2~3 DoRS. 4 DoRS is overkill. Do you have an alternate scenario?

    ReplyDelete
    Replies
    1. The lack of controls over the DVD/CD drive or the USB port is the root cause of the breach, not the physical access. Effective logical controls trump physical controls. Physical access alone can only disrupt availability. You have to have logical access to get to material misstatement.

      Delete
  5. Jon, I am just curious...are you a CPA? Most CPAs would agree with Anonymous (above) - as do I. Physical security is a key control consideration for ANY audit really. Whether one is talking about facility access, cash, locking up check stock, servers, or data backups. If assets are not secured, the reliability of the financial data is compromised.

    On your blog you challenged “…anyone out there to take a control from such a datacenter's SOC 1 report and walk through a scenario to demonstrate how the absence or failure of that control could impact their customer's financial statements.” You already did this on this post “Examples of Non-ICFR Controls in an Actual SSAE16.” It doesn’t matter how many “degrees of separation” you come up with for the data center, to the user organization, there is only one (their data is unrecoverable, financial statements are misstated.)

    Back to the stolen laptop scenario: You said, “…if I lock my car doors, it might prevent my laptop from being stolen, but it won't cause me to misstate my financials or file my taxes incorrectly if I have a backup of my data.”

    That is a BIG if. This assumes that you have a current, reliable, and readily available backup of your data in a Physically Secure location (meaning it hasn’t been tampered with). Assuming you did have it backed up, then the physical security of that backup data is just as important as the physical security of the hardware (your laptop). If you didn’t have it backed up, you would have lost everything; i.e., you might not even be able to produce your financial statements, let alone misstate them.

    Another scenario: Suppose my financial data is hosted by a data center. My financial statements are being audited and the auditors request a SOC 1 from the data center. Well, the data center has only been in business a couple of years and doesn’t have a SOC 1. Since all of my financial reporting transactions occur at the data center, the auditors need to get some comfort that there are internal controls in place. So they drive over to the data center and find that it is actually an old rusty mobile home with a couple of servers in a closet. The front door is wide open, strangers are coming in and out to chat or borrow a cup of sugar, and rats are chewing through walls and wires. Are you telling me that they would issue an unqualified opinion on the reliability of the financial statements? I seriously doubt it. A reasonable person could not say (without EXTENSIVE additional testing) that under the circumstances, there is reasonable assurance that the financial statements are free of material misstatements. Anyone at any time had access to the hardware that houses the financial statements.

    If the data center hardware is not physically secure, it poses a threat to the reliability of the data it holds. Therefore, it stays in.

    ReplyDelete
    Replies
    1. Something to note - It's extremely difficult to call any exception in IT General Controls a 'material weakness' due to the lack of ability to apply a dollar value to the finding. Because ITGC risks are pervasive in nature, and don't directly map to the financial statements/GL what you are saying would be a guess. Again, unless you have control gaps that would allow a person with console access to get into your systems, the physical security to the data center would be tested at a very high-level, likely restricted access and monitoring. If that's in place, then the rest (environmental, building access, etc) would be scoped out.

      Besides asking if anyone's a CPA, did you ask if anyone's a CISA? I'd say you need the opinion of both. Which you now have.

      Remember, 'availability' of the data and 'integrity' of the data are not the same thing.

      Delete
    2. Agreed. For SOC 1, we are talking 'integrity' of the data. I realise my examples are extreme, but I think my point is just what Anonymous #1 said above...

      "As a general rule, general IT controls will never relate specifically to ICFR controls - they are simply the foundation of controls that are pervasive across the entire environment and give financial auditors a basis for doing more application and IT-dependent manual control testing as part of their audit, rather than substantively beating a company to death."

      Delete
  6. Thank you very much for your comments. People always resort to, "Are you a CPA?" when they want to discredit rather than discuss challenging topics. I think not being a CPA actually enhances my credibility in this case. That being said, I'm very close to adding "CPA" to my name. Oddly enough, none of my intermediate and upper level accounting classes, went into the technical detail that we are discussing here, nor did the Auditing section of the CPA exam. CPAs tend to look at IT as one big bucket, and rarely take the time to dissect technical topics such as physical and logical security.

    I am not saying that physical security is not important. It is just not relevant to ICFR. It is very important from a security and availability perspective.

    If a hacker wants to cause a company to materially misstate their financials, there are many better ways to do it than breaking in physically.

    I challenge you to come up with a step by step scenario using the rusty mobile home hosting environment, and follow through to the misstatement. Don't just jump to misstatement from rusty.

    ReplyDelete
    Replies
    1. I totally agree with you that physical and logical security should be more closely analyzed. That is why I enjoy reading your blog. Sometimes I agree with you…sometimes I don’t. We can go back and forth all day long about physical security and whether or not it is an ICFR, but the fact is that determination is ultimately left to the CPAs professional judgment. Every case will not be the same. There is no generic answer that can fit every situation.

      Delete
    2. Thanks. I enjoy this dialogue, and sincerely hope that it contributes to the success of SOC 2 reports. Have a great weekend.

      Delete
  7. My main point is that there are almost always going to be logical access weaknesses. (Sometimes business needs win over security controls and therefore we rely on mitigating controls to reduce risk.) That is why so many auditors also rely on physical access controls. If there are no physical access controls, then the risk associated with those logical access weaknesses is increased.

    If you setup one server on a street corner and another in a secured datacenter, which one do you think will get hacked first?

    I firmly believe that at least basic, high level physical access controls are an important part of ICFR.

    ReplyDelete
  8. Great conversation, however the CPA question is relevant. The CPA is the one signing off on the financial statements. Today, the SOC1 is a requirement and it is nearly impossible to argue away from that. I trust your point Jon and cant argue with your logic very much...but reality is different that a discussion of DoRS, or the encryption on your laptop. Its actually related to the data at risk. Anyhoo, thats my HO.

    ReplyDelete
  9. AS 5 Appendix B:
    B20. Evidence that the controls that are relevant to the auditor's opinion are operating effectively may be obtained by following the procedures described in AU sec. 324.12. These procedures include -
    a. Obtaining a service auditor's report on controls placed in operation and tests of operating effectiveness, or a report on the application of agreed-upon procedures that describes relevant tests of controls.

    Note that this DOES NOT SPECIFY a SAS 70 report or a SOC1. Your statement that SOC1 is a requirement in incorrect. Not impossible at all to argue away from that.

    ReplyDelete
  10. What we are really talking about with a financial statement audit is the potential for misstatement of financial reporting. I challenge anyone that has commented here to describe a scenario where physical access alone (with no logical control weaknesses at all) can lead to misstatement. Physical access can lead to disruption of availability of a system but cannot alone lead to misstatement.

    ReplyDelete
  11. How about this turn of events? The AICPA says that user orgs and their auditors can rely on SOC 2 for financial statement risks now. http://riskassuranceguy.blogspot.com/2013/04/soc-2-can-be-relied-on-in-financial.html

    ReplyDelete