Auditors Fear the Cloud

Does internal audit only see the dark, rainy clouds? Can you see whether the silver lining, the potential for cloud computing is worth the risk?

My personal view is that while caution should always be exercised, auditors should work with management to determine how to move into the cloud to seize its opportunities, while taking on an acceptable level of risk given the potential for reward.

Auditors should not fear risk. If you eliminate risk, you will also eliminate profit.

The key is to make decisions based on a knowledge of both the potential for adverse impacts and the potential for reward.

SC Magazine had a good set of questions in a November 2010 article:

  1. Am I using a trusted vendor?
  2. Have I considered the value and risk to the information that I am outsourcing to the cloud provider?
  3. What business continuity and disaster recovery measures are in place in the cloud infrastructure? Does the cloud provider have a backup in place?
  4. Have I considered the potential implication of employees wanting to sabotage a successful cloud migration strategy?
  5. Have I considered how knowledge of the business process would be retained and versioned, should I wish to switch cloud providers at a future date?
  6. Do I have a detailed list of security controls based on security, operational and business risks to determine how the cloud vendor complies with them?
  7. Does your cloud provider meet the regulatory or compliance requirements needed by your organization?
  8. How do I audit or evaluate security controls placed on the cloud-based infrastructure?

CIO-Asia had a similar piece this month, but only asked five questions, while CIO-UK needed eight. (But I still prefer the SC magazine list).

The questions for auditors are:

  1. Do you know what your organization is doing now with cloud? What is running where?
  2. What are your organization’s plans and strategies for cloud?
  3. Are you involved, helping them navigate the risks and rewards? If not, why not?
  4. Are you being reasonable with respect to taking on risk, relative to the potential rewards?
  5. Are you an enabler, a navigator, or a roadblock to success?

Posted on Apr 29, 2011 by Norman Marks

Share This Article:    

  1. "  auditors should work with management to determine how to move into the cloud to seize its opportunities"


    Beyond compliance concerns, why would auditors be involved in a business decision like this at all? Feels like over-reaching the sane boundaries of responsibility to me.

  1.  Alex, internal auditors should be consultants to management. Of course it is up to management whether and when to move into the cloud, but we can be risk and control advisors. It's part of our 'assurance and consulting services' mission.

  1. I think the pertinent point of auditor involvement would be to review the adequacy of management's risk and security assessement, in going for a cloud environment - specially but not limited to :

    a. whether the strategy to move to the cloud was in line with the oveall business objectioves,

    b. whether the enterprise security standards were adhered to,

    c. whether the risks had been evaluated, assessed and treated,

    d. whether controls were effectively designed, with responsibilities assigned, for the re-engineered process (in moving the service / software to the cloud)

    e. whether a governance mechanism has been set in place to periodically evaluate the service / vendor performance and adherence to organizational norms, both process and security; to monitor performance, and to revise strategy / action points as needed

    The auditor needs to work closely in providing assurance to the Board and the management while the management decides to embark on a cloud computing strategy. The role will be more involved in the first year to evaluate the efficacy of the risk assessment and controls definition around the strategy. From subsequent years, it should be part of the audit program for more regular risk-control based audits.

Leave a Reply