As CFO, regulatory compliance is an issue that you deal with every day. The cloud provider that you choose should have a track record with customers that share the same compliance issues as your organization. Check with those customers to make sure that the provider has been responsive to audit requests and passed all requirements.
- What is SSAE 16? Following an SSAE 16 audit, an auditor will issue a Service Organization Control report that looks at internal controls within the service provider’s organization. The SOC 1 report focuses on the auditor’s opinion of how accurate and complete the data center is in its design of controls, systems, and services. This report is a detailed audit that shows prospective and current customers that the data center has been thoroughly checked and deemed to have satisfactory controls and safeguards in place for hosting and processing sensitive information. Publicly held companies have a right to audit their service providers, and often, the SSAE 16 report from a technology service provider will satisfy audit requirements for a variety of compliances. Set forth by the American Institute of Certified Public Accountants (AICPA), SSAE 16 attestation is designed to be the authoritative guidance for reporting on service organizations. This attestation serves as a replacement—and an upgrade—from a SAS 70 service auditor’s examination, as it focuses more on a formalized certification of a service provider’s control processes and is conducted by a neutral, third-party auditor. SSAE 16 (Statements on Standards for Attestations Engagements #16) verifies the controls and processes being followed by the service provider while also requiring a written assertion regarding the design and operating effectiveness of the controls being audited. As an added benefit, SSAE 16 standards bring service providers in the United States up-to-date with new international service organization reporting standards.
- Can we be Sarbanes-Oxley compliant with an ERP system in the cloud? Absolutely. In many cases, the policies that the ERP cloud provider has in place are far more stringent than even SOX requires. Your cloud provider should be able to provide a description of each control activity surrounding data processing activities, including input, processing, output, and security to assure SOX compliance for your ERP system.
- Is Cloud based ERP a good choice if we are thinking about going public someday? Cloud ERP is the choice of many start-up companies that hope to go public over time. A big part of being IPO-ready includes understanding SOX requirements for public companies and establishing company guidelines, processes, systems and procedures to keep these requirements in mind as the company grows. Make sure your ERP cloud provider can assure your compliance from the start.
Find an ERP Cloud Partner to compare Netsuite, Intacct, Acumatica, SAP and Microsoft Dynamics at www.erpsoftwareblog.com/cloud
By ERP Cloud Blog Editors, www.erpsoftwareblog.com/cloud