Cloud computing is transforming business IT services, increasing its operational efficiencies and reducing its costs. But the use of cloud computing services also poses significant risks that need to be planned for by audit committees, boards and management if they are to be handled effectively.
Relevant key issues include cloud security, customer services, supplier management and legal and regulatory compliance.
Our publication How to audit the cloud provides internal audit functions with important guidance on the work they should carry out.
ICAEW members can view the full-length guide on conducting an effective cloud audit.
It is important to note that the audit approach carried out is likely to vary, depending on the scale and complexity of the service being used. Questions that internal audit will need to consider before they begin their work include:
Security is one of the main areas of this report’s focus and requires detailed knowledge. There are a broad range of security controls that need to be considered, from access control and encryption through to cyber defences and monitoring. How the cloud service provider implements recognised security standards will also be critical to consider.
Effective operational resilience is necessary for maintaining service for customers in addition to meeting regulatory and legal requirements. Internal audit will need to consider the level of resilience required and how the cloud provider meets these requirements.
Internal auditors will need to understand how the operating model works and may use service metrics, defined KPIs and meetings with the service provider (or supplier management team) to gain a greater understanding of the cloud.
There needs to be a clear transition where the business as usual approach effectively embeds into the organisation. An organisation-wide cloud policy needs to be established. Cloud services can be procured easily and there is a risk that without the right governance organisations could lose central control of the IT being used.
Cloud provision will need to comply with both regulatory and legal requirements. This complex area is evolving. Financial regulators will be increasingly focused on the potential risk of concentration where a number of large organisations are using a small number of providers, such as Amazon, Google, IBM and Microsoft. A service failure at a large cloud service provider could result in mass disruption.
As the use of cloud technology matures, organisations will be adopting new operational models with increased automation that moves away from traditional IT management and service design. Internal audit will need to consider how it moves towards providing real time assurance.
Access the latest thinking on internal audit: