As part of SOX requirements, each U.S. public company is responsible for establishing and
monitoring internal controls, including those maintained by a third party, such as a cloud
service provider. Therefore, if a (potential) cloud customer is a U.S. public company or
planning to become public, they should think about how using a cloud provider impacts their
financial reporting controls.
If a customer processes accounting or financial information on Google Cloud Platform, the
customer‘s management may determine that some Google Cloud Platform services are in scope
for their SOX obligations. The customer‘s management must make their own judgment regarding
Google Cloud Platform’s SOX applicability. If the customer requests information about controls
over specific GCP products, we refer them to the Google Cloud Platform Service Organization
Control (SOC) 1 Type II report. This report includes Google‘s descriptions of GCP systems and
controls, an independent auditor opinion on the accuracy of management‘s description, an
independent auditor opinion on appropriateness of the controls described in meeting the
stated objectives, and an independent auditor opinion on the effectiveness of those controls
in meeting the stated objectives.