Cloud computing is transforming business IT services, but it also presents significant risks that need to be addressed. Key relevant issues include cloud security, customer service, vendor management, and legal and regulatory compliance.
It is essential to note that the audit approach undertaken is likely to vary depending on the scale and complexity of the service being used. For this, some questions are considered by the internal audit before the start of the work:
·
Is the existing audit risk assessment process flexible enough to differentiate between the variety of cloud services that can be used?
·
Is there a clear understanding of the difference between the organization and the cloud and where the technology boundary begins and ends?
·
Has sufficient explanation been provided to key internal parties, including directors and the audit committee, to highlight the business rationale or impact of providing the cloud?
·
How does the audit work complement broader supplier assessments that are considering third-party and fourth-party risks?
·
How will samples be selected, and are there opportunities to employ data analytics, either through the service provider or in-house, to enable complex analyzes that address peaks and troughs in supply?
·
Are audit teams well aware of the differences in cloud computing services and apply the right approach to provide effective audit coverage?
·
Is the organization's cloud strategy linked to the overall business strategy?
Given this, some risks and challenges are presented, such as the safety factor. Security is one of the main areas of focus for this service and requires detailed knowledge. There are a wide variety of security controls that need to be considered, from access control and encryption to cyber defenses and monitoring. How the cloud service provider implements recognized security standards will also be critical to consider.
Another challenge is to maintain operational resilience effectively to maintain customer service, in addition to meeting legal and regulatory requirements. Internal audit will need to consider the level of resilience required and how the cloud provider meets those requirements. Internal auditors also need to understand how the operating model works and can use service metrics and service provider meetings for a better understanding of the cloud.
Governance policies and processes are also important in the process. There needs to be a clear transition where the business-as-usual approach is effectively incorporated into the organization. An organization-wide cloud policy needs to be established. Cloud services can be purchased easily and there is a risk that, without proper governance, organizations lose central control over the IT being used.
Finally, there is the importance of complying with regulatory and legal aspects. Financial regulators will be increasingly focused on the potential risk of concentration when several large organizations are using a small number of vendors, such as Amazon, Google, IBM and Microsoft. A service failure at a large cloud service provider can result in massive outages. As the use of cloud technology matures, organizations adopt new operating models with greater automation that moves away from traditional IT management and service design. Internal audit will need to consider how it moves to provide real-time assurance.
Get in touch with TATICCA – ALLINIAL GLOBAL, which provides integrated auditing, accounting, tax, corporate finance, financial advisor, risk advisory, technology, business consulting and training. For more information, access www.taticca.com.br or e-mail taticca@taticca.com.br. Our company has professionals with extensive experience in the market and has certified methodologies for carrying out activities.