4 Key Considerations for Adopting Cloud Computing in Internal Audit
Cloud computing – whether provided to organizations via Infrastructure as a Service (IaaS), Platform as a Service (PaaS) or Software as a Service (SaaS) – presents an array of risk factors for organizations. Internal audit has an essential role to play in helping management and the board identify, consider, and manage these risks, and in determining whether they are being adequately mitigated.
In this article, we look at some of those risks and internal audit’s role in addressing them.
Cloud Ubiquity: The New Norm for a Once-Niche Model
Cloud computing services are now ubiquitous. According to the 2019 RightScale State of the Cloud Report, 94 percent of organizations use the cloud and the average organization uses five cloud services.
Cloud computing has transformed the way in which businesses consume and deliver IT services within their organizations. By making computing resources, including computing power and data storage, available on-demand without the user’s direct oversight or management, cloud computing has empowered organizations and their employees with the flexibility to work anywhere, at any time, in real-time.
Issues and Risks
Organizations face a number of risks in using the cloud, including but not limited to:
- IT bypass: – The unaddressed or unmitigated risks resulting from departments setting up their own technology environments via the cloud and sidestepping the organization’s IT protocols and controls.
- The loss, theft or corruption of sensitive data: The risk of severe reputational damage and possible criminal prosecution or civil action as a result of the loss of sensitive data.
- User access: The risk that cloud providers will fail to adequately restrict data access.
- Regulatory compliance: The risk that organizations subject to regulatory oversight will be found non-compliant (e.g. requirements for the use and protection of personal data).
- Data location and ownership: Depending on where data that is “in the cloud” is actually stored, the risk of failing to meet the requirements of that jurisdiction or of failing to meet customer or contract requirements restricting data storage to certain jurisdictions.
The Role of Internal Audit
Internal audit is in an excellent position to help management and the audit committee/board manage and mitigate these and other risks. Four key areas of focus include the following:
1. Creating a Cloud Strategy
Internal audit should work with management to determine whether a strategy for the cloud is in place, aligned with the needs of the business and its IT strategy, and well-communicated. Among the questions that should be asked:
- Has a business case been built for moving to the cloud?
- Is it consistent with planned investments in application infrastructure?
- Can the risks associated with cloud migration be adequately mitigated or accepted?
- Would a move to the cloud enable the business to grow or scale more cost-efficiently?
- What data, exactly, will be moved to the cloud?
- Is critical data involved?
2. Vendor Evaluation
Internal audit can also play a key role in determining how well vendors are addressing risk and control.
- Have cloud vendors adequately described the data security controls they will use?
- Does the cloud vendor provide detailed descriptions of their security systems, including physical security and user access and authentication protocols?
- Security policies, vulnerability and penetration test results, and attestations on internal control environments should all be requested. Does the vendor have independent assessments of their control environment such as SSAE 16 or ISAE 3402 reports?
- Are the vendor’s business continuity and disaster recovery plans adequate and aligned with the organization’s needs?
3. Implementation of a Cloud Computing Model
Internal audit should assess the migration process and mitigating project risk. Does the implementation align with the organization’s system development approach as well as with project management and change management methodologies? Has the effectiveness of mitigating controls and strategies been assessed before implementation?
Service-level (SLAs) and operating-level agreements (OLAs) have particular importance in regard to cloud computing. These provide objective measures of performance that can be directly linked with business risk. What about the provider’s responsibilities in regard to regulatory, legal and data protection and other requirements? Has a process been defined for identifying and reporting issues, including data breaches, data back-ups, and user access?
4. Vendor Monitoring
Internal Audit should also assess how well the vendor relationship is being monitored and controlled relative to SLAs and OLAs, and also whether issues, as they arise, are being adequately investigated and resolved. Vendor internal control assessments, including SSAE 16s, penetration tests and vulnerability scans, should be routinely reviewed. Is the cloud vendor adequately addressing regulatory requirements?
The Future is Cloud, if We Manage the Risk
Cloud computing is a form of IT outsourcing, of course. Just like any other outsourced service, the rules governing its provision (in the form of SLAs and OLAs) must be carefully defined, managed and monitored. Further, the effectiveness of any contract depends on defining where the responsibilities lie and who bears the risk. Cloud computing is no exception. Internal Audit can make a vital contribution in identifying and evaluating the risks attending these relationships, including in the areas of performance level, business continuity and data protection.
Cloud capabilities are central to IDEA 11, the most recently released version of CaseWare IDEA’s industry-leading software. Check out this announcement to learn more.