Cloud computing is transforming business IT services, but it also presents significant risks that need to be planned. Key relevant issues include cloud security, customer service, vendor management, and legal and regulatory compliance.
It is essential to note that the auditing approach taken probably varies according to the scale and complexity of the service being used. To this end, some questions considered by the internal audit before the start of the work are valid:
· Is the existing audit risk assessment process flexible enough to differentiate between the variety of cloud services that can be used?
· Is there a clear understanding of the difference between the organization and the cloud and where the technology limit begins and ends?
· Has sufficient explanation been provided to key internal parties, including directors and auditing committee, to highlight business reasoning or the impact of cloud provision?
· How does the auditing work complement the broader assessments of vendors that are considering third-party and fourth-party risks?
· How will the samples be selected and are there opportunities to employ data analysis, either through the service provider or internally, to enable complex analyses that meet ups and downs in supply?
· Are auditing teams well aware of the differences in cloud computing services and applying the right approach to providing effective audit coverage?
· Is the organization's cloud strategy linked to the overall business strategy?
Given this, some risks and challenges arise, such as the safety factor. Security is one of the main focus areas of this service and requires detailed knowledge. There are a wide range of security controls that need to be considered, from access control and encryption to defenses and cyber monitoring. How the cloud service provider implements recognized security standards will also be critical to consider.
Another challenge is to effectively maintain operational resilience to maintain customer service, in addition to meeting legal and regulatory requirements. The internal audit will need to consider the level of resilience required and how the cloud provider meets those requirements. Internal auditors also need to understand how the operating model works, and can use service metrics and meetings with the service provider for a better understanding of the cloud.
Governance policies and processes are also important in the process. There must be a clear transition, in which the business approach as usual, is effectively incorporated into the organization. An organization-wide cloud policy needs to be established. Cloud services can be purchased easily and there is a risk that, without proper governance, organizations will lose central control of the IT that is being used.
Finally, there is the importance of complying with regulatory and legal aspects. Financial regulators will be increasingly focused on the potential risk of concentration when several large organizations are using a small number of vendors, such as Amazon, Google, IBM, and Microsoft. A service failure at a large cloud service provider can result in a mass outage. As the use of cloud technology matures, organizations adopt new operating models with greater automation that moves away from traditional IT management and service design. Internal auditing will need to consider how it moves to provide real-time assurance.
Contact TATICCA — ALLINIAL GLOBAL, which provides integrated auditing, accounting, tax services, corporate finance, Financial Advisory, Risk Advisory, technology, business consulting and training. For more information, visit www.taticca.com.br or email taticca@taticca.com.br. Our company has professionals with extensive experience in the market and has certified methodologies for carrying out activities.
