Head in the Clouds

August 2011

Head in the Clouds

A chief audit executive considers what to do after learning that one of the firm’s regional sales offices — the most profitable region in the company — has been using cloud-based services without corporate approval.

Mark Rueben is the chief audit executive (CAE) at Maverick Paper Products, a large U.S. paper manufacturing and packaging company, with locations throughout the country. Maverick has a decentralized organizational structure, which means their internal auditors spend about 70 percent of their time visiting the various locations.

Mark recently received a call from one of his auditors, Dirk Yastrimski, who was performing an audit at Maverick’s mid-states region office. Dirk also had the regional mid-states vice president, Jason Barber, on the phone with him to discuss a new cloud computing arrangement he discovered while performing his payment review. Dirk thought other control considerations may be involved, aside from the basic contract approval and compliance documentation issues, but Jason had another view.

“Here’s the deal Mark,” Jason began. “We got tired of waiting for corporate to move our technology into this century while our competition eats us alive. This new SalesMonster cloud computing solution we purchased has really revved up our sales team. We were already the leading region in sales, and with this new system we’re projecting we’ll beat our sales budget for this quarter by almost 20 percent. You audit guys aren’t going to cause a problem for the No. 1 sales region in the company, are you?”

Mark has been working to improve the image of Maverick’s internal audit department and doesn’t want to compromise his relationship with the vice president of the most profitable region in the company. But at the same time he sees reports of security breaches in the news with increasingly regularity, and he doesn’t want Maverick to become front page news either. Was Jason’s decision to move forward without corporate involvement such a bad idea? Sales were in fact up, and SalesMonster.com has hundreds of large-company clients that probably performed security assessments and due diligence before signing on. Why should Maverick spend its limited resources to duplicate what SalesMonster has already done? What type of work could Maverick do at this point anyway, considering the product has already been in place for most of the year?

Karen Tavana, CISA, CPM
IT Audit Manager
Texas Instruments Inc.

As companies move to the “cloud” for reductions in cycle time and cost, they should remember the lessons learned in the 1990s with IT outsourcing. Some outsourcing initiatives resulted in cost reduction and productivity improvements, but other companies thought that simply outsourcing to an “industry leader” would protect them and therefore failed to perform the appropriate due diligence. They did not take the time to ensure the scope of service was well defined, engage key stakeholders, or clearly establish the obligations of both parties. This caused some companies to experience unacceptable service levels and cost increases, and it left them with no mechanism for getting out of the deal.

Cloud computing is a form of IT outsourcing. No matter how big, well known, or trusted a third-party IT service provider may be, failing to perform appropriate due diligence could lead to significant organizational harm.

Mark can still protect Maverick Paper while preserving his relationship with Jason. Although Jason wants productivity improvements, he would not want to compromise his sales data or alienate his customers. Risk issues for Mark to consider include:

Is there a documented agreement with SalesMonster that defines how it can use Maverick’s data? What is SalesMonster’s liability if data is misused?
What are SalesMonster’s security practices? Would Maverick receive notification if its data were compromised?
What if SalesMonster cannot provide the required services — an increased concern when service is low cost/free — or it goes out of business? Would Maverick lose its sales data?

Many countries have laws to protect personally identifiable information and restrict certain data transfers. Protected data can include business partner contact information. The legal department should verify Maverick is not violating any applicable country laws.

How would you handle this scenario? Share your comments below.

Share This Article:

Cloud Computing
I would agree with the issues mentioned above for Mark to consider. Adequate BCM/ DR arrangements are imperative. Also, the contractual agreements should include the following: a) the right for Maverick's internal and external auditors to access the service providers premises and records for audit after giving reasonable notice. b) if Maverick is part of a regulated industry, the right for the concerned regulator to get unhindered access to the service provider's records. Also, it needs to be seen that in case Maverick is part of a regulated industry then is the concerned regulator required to be notified of this cloud computing arrangement, either for information purposes only or for approval? SInce the owner of the arrangement in this case is the Sales team, they should document a risk assessment highlighting the key risks arising from the arrangement with the corresponding mitigants that should be reviewed by the internal audit team in this instance. This is in line with the RCSA conceot adopted by several leading organizations and should help to further strengthen controls. Thanks. Rohit Abbey
Posted By: Rohit Abbey
2011-08-05 3:46 AM

Head in the Clouds
Being the most profitable division in the company does not give the division vice president the right or royal perogative to disregard those corporate policies and corporate decision making processes that he disagrees with. That's a common rationalization made by those who do things without proper authority. The situation has to be written up and moved up the chain to the President of the organization and if serious enough to the Audit Committee. The President may wish to condone the activity retroactively which can mitigate the move to the cloud but nonetheless the incident and executive decision should be documented. There may well be others who will also be found to have been complicit. Cloud agreements are often multi-year and can be financially material that procurement rules were breached. Transitioning to the Cloud often requires some IT involvement so there may be issues with the organization's enterprise IT change processes. From a monitoring perspective, it's incredulous that the central office did not notice a significant reduction in the payments processing from this division. It's an opportunity to implement audit analytics to monitor their AP which could have provided earlier detection (and possible prevention if the VP thought his actions would be detected).
Posted By: David Chiang, CA.CIA, CMC, CRISC, ACDA
2011-08-04 7:31 PM

Cloud Computing
At our firm, we have significant concerns about cloud computing. One key concern is as to the ownership of data when it resides in a non-exclusive environment and it can be stored anywhere throughout the globe. This can be a contractual issue that is unique to cloud computing.
Posted By: Alan Grandoff
2011-08-04 9:59 AM

I would first point out to Jason that Internal Audit is not there to make life more difficult, but to confirm that Mark has weighed all of the risks vs. the benefits. I would add that we prefer to look at changes in advance so that we can point out potential problems before the company is in a difficult situation. I would then tell Jason that Dirk will be auditing the process now and preparing a report including, of course, recommendations to address any issues found.
Posted By: DaveM
2011-08-04 8:36 AM

COMMENT ON THIS ARTICLE

Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>