You may ask what a CPA is doing in this AWS Community? There are many reasons a CPA could be curious about the challenging work of learning AWS technologies and services. My journey and first interaction with computers and technology was in the 80's when I started working for an IT outsourcing company in my former days in Venezuela and the "Cloud" concept was there but in a very early days and development. I remember that company for different reasons, at the beginning I went through a technical training to be one of the night operators for a console of an IBM S/34, the experience was really new for me just right after high school graduation. The minicomputer configuration for that IBM S/34 was quite impressive based on the computers similar companies had back in those days. The RAM was 256Kb, yes, 256Kb... storage for the hard drive was a schema of dual disks with a total of 512 MB, yes, you read it right 512MB and the system also had two slots for a magazine of 10 floppy disks each of 10 inches floppy disks which were used to "upload" data in batch mode, after all, that was computing resources in the 80s, three additional single slots were also part of the batch mechanical system.
That computer configuration was enough to process the payroll and accounting transactions for 30+ companies including one big financial institution from the small town I used to live in the 80s. The next two pictures are for the minicomputer I was referring to with the above technical specifications.
The next one is a picture showing the two hard drives each with 256MB storage capacity, yes 256MB !!
My second interaction with computers in that company was with a desktop PC computer a Hewlett Packard touch screen PC with a word processor and Visicalc installed and ready to use it, Visicalc was one of the early spreadsheets applications for the desktop market. I will never forget how impressed I was with that first interaction and I started feeling an interesting attraction between the binary language and the debits and credits accounting rules which for me are both more similar than many people may think. The next picture shows the desktop computer I am referring in this case:
But, let's start to explain why I am here in this community using some of the AWS services available?
Internal Controls and IAM
AWS folks, there is nothing more important for a company from an accountant or auditor perspective than a robust, healthy and solid "internal control system". Internal controls are the first line of defense to prevent and deter accounting errors or recording of unauthorized transactions into an accounting GL applications.
Most of the global accounting scandals before and after the Enron failure were fueled by weak or non-existing accounting internal control systems and IAM is one of the services that AWS offer to make sure proper authorization exist for the access of computing resources which at the end are the bones used to build all the financial operations for a company. For example, under the "Access Management" Console, AWS IAM service includes the next functionalities:
User Groups: in terms of financial accounting Groups or similar terminology, I can create groups for organizational departments such as General Accounting, Payroll, Treasury, Billing, Manufacturing, Operations etc. By creating specific group of users the "Internal Control Environment" is stronger because each Group can be assigned specific permissions in terms of resource access. In AWS terminology a user group is a collection of IAM users.
Users: this functionality is the specific approval for a user to be assigned the administration and management of resources based on a "policy". Under an "Internal Control" perspective an employee should be accountable for the resources he or she is granted but based on approved "roles" and "policies" established by the organization. For example it is well known from the theory of internal controls that a person running "bank reconciliations" should not have access to book "journal entries" because an incompatibility of roles. In AWS terminology "An IAM user is an identity with long-term credentials that is used to interact with AWS in an account."
-
Roles: for companies it is common to assign different "roles" or "functions" based on pre-approved policies to specific employees. For example, in a billing department a group of employees can be assigned the task to issue invoices to customers but not the "approval" process of credit limits which should be assigned to a different group of employees with that "Role". In other words, the employee who approves a credit limit - Role 1- to a client cannot be the one preparing the invoice - Role 2 - and vice versa, the employee who prepares the invoice - Role 2 - cannot assign or approve the credit limits - Role 1-. Examples of AWS IAM Roles are:
- ApplicationAutoScalingForAmazonAppStreamAccess
- ecsTaskExecutionRole
- AWSServiceRoleForRDS
In AWS terminology an IAM role is an identity you can create that has specific permissions with credentials that are valid for short durations.
-
Policies: the term "policy" is well-known in the accounting world, for example the existence of "accounting policies" is required to apply the recognition, booking and disclosure of economic transactions. A company requires the creation of "internal control policies" because of transactions should be approved and processed based on proper authorization. For example, if a digital signature is required to approve a wire transfer, that should be based on a specific "policy" approved by upper management. Some examples of AWS policies are:
- AmazonEC2FullAccess: Provides full access to Amazon EC2 via the AWS Management Console.
- AWSCertificateManagerReadOnly: Provides read only access to AWS Certificate Manager (ACM).
- AlexaForBusinessReadOnlyAccess: Provide read only access to AlexaForBusiness services.
There are more than 800 AWS predefined policies so the user can customize a profile in a very detailed way.
In AWS terminology, "a policy is an object in AWS that defines permissions".
There are two more choices under "Access Management" that are beyond the goal for this article, these are Identity providers and Account Settings. The second set of options are related to Access reports
Compliance and AWS Artifact
One of those services that are not explored too much under AWS service offer is "AWS Artifact" but for accountants is one of the most comprehensive source of technical materials to validate compliance of AWS Cloud infrastructure. In AWS terminology, "AWS Artifact provides on-demand downloads of AWS security and compliance documents, such as AWS ISO certifications, Payment Card Industry (PCI), and Service Organization Control (SOC) reports. You can also use these documents as guidelines to evaluate your own cloud architecture and assess the effectiveness of your company's internal controls."
I picked up this service because of the importance that is given by auditors to the internal control system that relates to company's infrastructure and how this relates to the "Shared Responsibility Model" proposed by AWS, https://aws.amazon.com/compliance/shared-responsibility-model/:
It is important to mention that AWS artifact provides documentation only for AWS services or related to them. This is important to mention from an "internal control perspective" because there could be business processes that are not being delivered under AWS Cloud infrastructure and the security and compliance are not covered. There are approximately 80 solid and detailed documents that are extremely valuable materials for those that are in the field of compliance. AWS even includes for example its W-9 form which is quite surprising but a proof of total disclosure of documentation for total compliance.
If you want to get full familiarity with AWS services with a very concise and precise description of the services, I have one final recommendation at this point, download and read the next report:
- System and Organization Controls 3 (SOC 3) Report - Report on the Amazon Web Services System Relevant to Security, Availability, and Confidentiality.
The Independent Service Auditor's Report provided by Ernst & Young includes a comprehensive inventory and explanation of AWS service offer. Ernst & Young is one of the big 4 worldwide CPA firms.
Stay tuned for Part II
Fernando Catacora
email: fcatacora@redcontable.com
Top comments (1)
Interesting article Fernando, felicitaciones! - I also come to the AWS community from another career-background. In my case it was Industrial Automation, where I started in the late 90's with SUN Solaris and later Windows NT workstations and servers.
This different background and views has also helped me in migration and modernizations to AWS and Azure, which are mostly optimization-automation problems.