Vendor Audits In the Cloud

Fieldpoint Private Bank & Trust makes no bones about its enthusiasm for finding reliable ways to job out IT.

“As long as you can tie your tech budget to an operating expense as opposed to a capital expense, you can base your cost on true demand,” according to Joe Larizza, chief administrative officer of the Greenwich, Conn.-based institution, who says the bank is a big adopter of cloud computing, and he’d rather “hire the best” to deliver information technology.

Larizza’s not alone: in a tough IT economy, more financial institutions are taking a shine to the new, cost-effective methods that outsourcers are using to deliver tech services (link to article).

But the complex deals that banks are now inking with providers require an added level of scrutiny of the outsourcer’s IT infrastructure and its ability to provide the access, reliability and security that it promises in its sales and marketing materials. That requires a level of due diligence that can’t be accomplished by prevailing audit forms and standards. One problem that banks have faced is the lack of a universal vetting tool or test that proves the outsourcer’s IT and data integrity controls are up to snuff, and equal to their overall financial strength.

But help’s on the way. Two new test reports from the American Institute of CPAs attempt to address the data privacy, protection and reliability issues that many bankers have said were missing from traditional SAS 70 audits (and the SSAE16 update issued by the AICPA this spring), causing those audits to be misused as a “seal” of tech soundness by outsourcers. That has created a gap in confidence that is widening as adoption of virtualization, cloud and other outsourcing innovation expands, creating added risks in the supply chain.

The new test reports, SOC 2 and SOC 3, provide tougher audit requirements for data-intensive activities, such as storage, accrual, messaging and archiving. The tests are particularly designed to force providers to account for data center service, IT organization, security, availability, processing, confidentiality and privacy. The difference between SOC 2 and SOC 3 is that SOC 3 certification carries a seal, which the provider can display as part of its marketing efforts. SOC stands for “service organization controls.”

The new tests are designed to account for a new age in outsourcing in which the providers of the technology change quickly in terms of exposure to their own third-party providers and in their use of dynamic technology that evolves quickly.

“The standards that were used in the past are being reevaluated in terms of a cloud-type environment,” says Bernard Golden, chief executive officer of Hyperstratus, a cloud computing consultancy. “That was already happening with the advent of virtualization, where firms were moving beyond the environment in which you could assume a physically static infrastructure. With virtualization, we’ve moved beyond a static infrastructure.”

Like Golden, Mike Versace, a research director at IDC Financial Insights, says SAS 70’s use case is based on a more traditional view of an outsourcer’s performance. “When you apply SAS 70 to a cloud, it’s tricky because there tends to be more of an operational responsibility tied to a cloud service provider than if they were outsourcing a service,” he says.

Tyler Quinn, CPA, CISA for Kaufman & Rossin & Co., a firm that performs audits of service providers for financial institutions, says most banks aren’t using the SOC 2 reports yet, but that should change going forward as more people in the tech, auditing and financial services communities become more aware.

“Most banks, in the current cycle of vendor due diligence, are just starting to get the SSAE 16 reports. But with the concerns regarding security, and the education from auditors who will be recommending [SOC 2], we’ll see more of it,” he says.

SOC 2 and 3 are designed to provide a more data-center-intensive test to stand alongside the alphabet soup of third-party audit forms that banks and other companies have used for years to vet service providers and outsource partners. Standards like the ISO group of standards, SAS 70, and SSAE 16 are focused on the financial performance, corporate controls and general IT performance of service providers. But these standards, in the eyes of banks, don’t pinpoint weaknesses in the data security, compliance and integrity risks posed by virtualization and cloud computing.

“The issue with SSAE 16 reports is there’s no testing done over controls of data privacy and availability of data. If a bank is outsourcing any of their core business, they need to have access to all of their data. And how do they have confidence in that without testing for data availability?” asks Quinn, who contends the relatively new SSAE 16 report isn’t substantially different than the older SAS 70 in this regard.

Since bad access controls or policies regarding the use of external devices, such as USB ports, by tech firm employees can lead to a data breach, an outage or a legal violation at an outsourcer, there are expanded security risks and liabilities that require the new tech-centric and supply chain vetting that SOC 2 attempts to provide. It requires a deeper look into internal controls at providers, such as the relationship between corporate structure and access privileges for the main service provider and its outsourcing partners.

“There are a variety of models” for outsourcing IT, says Doug Barbin, director of Brightline CPAs and Associates. “You may have providers hosting a [platform] in anther third-party data center. You can look up the food chain and there may be three [outsourcers].”

And security is not the only concern: compliance is also complex in a cloud environment. Versace says prospective bank clients will want assurance that, given the cloud’s multi-tenant structure, the bank will be able to access data necessary for its own reporting requirements.

“Banks want a more complete compliance reporting capability between a cloud provider and their business,” he says.

The added IT-focused testing of SOC 2 and 3 should be welcome for banks that are now faced with pulling together a hodgepodge of standards, as well as their own complex vetting of a supplier’s IT program.

Fieldpoint Private, which serves high-net-worth clients mostly in New York City’s Connecticut suburbs, outsources most IT services and much of its software. It tests suppliers for contingency plans, backup, recovery, latency and accessibility – using its own due diligence, as well as SAS 70 or SSAE 16, or other standards based on the outsourcer’s particular line of business, which can include PCI for payments processing or HIPPA for healthcare-related transaction IT.

“We spend as much time as we can in the proposal process,” Larissa says, adding that the SOC 2 report would be welcome. “We look at everything that we would like to secure if we were doing it on our own.”

Versace says the next step in IT development will include ways in which banks can monitor the data security and compliance of their outsourcing providers by integrating bank governance, risk and compliance systems with the data and services that they are receiving from their cloud and other outsource firms.

This level of integration is about a year out or more, according to Versace. But there’s some early nudges in that direction. Symantec and VMware at the end of August expanded their partnership to offer desktop-as-a-service applications with integrated security and management. The offering combines Symantec’s endpoint protection and the Altris Client Management Suite, which reside inside the tech firm’s client network, with VMware’s virtual desktop and cloud products, such as WMware View, vShield, vCloud Director 1.5 and vSphere 5. More partnerships like this are sure to follow.

“The ecosystem around cloud computing and companies is starting to come together,” Versace says.

Click here to view this article online