control, and governance
Head in the Clouds
Edited by Dennis McGuffie
A chief audit executive considers what to do after learning that one of the firm’s regional sales offices — the most profitable region in the company — has been using cloud-based services without corporate approval.
Mark Rueben is the chief audit executive (CAE) at Maverick Paper Products, a large U.S. paper manufacturing and packaging company, with locations throughout the country. Maverick has a decentralized organizational structure, which means their internal auditors spend about 70 percent of their time visiting the various locations.
Mark recently received a call from one of his auditors, Dirk Yastrimski, who was performing an audit at Maverick’s mid-states region office. Dirk also had the regional mid-states vice president, Jason Barber, on the phone with him to discuss a new cloud computing arrangement he discovered while performing his payment review. Dirk thought other control considerations may be involved, aside from the basic contract approval and compliance documentation issues, but Jason had another view.
“Here’s the deal Mark,” Jason began. “We got tired of waiting for corporate to move our technology into this century while our competition eats us alive. This new SalesMonster cloud computing solution we purchased has really revved up our sales team. We were already the leading region in sales, and with this new system we’re projecting we’ll beat our sales budget for this quarter by almost 20 percent. You audit guys aren’t going to cause a problem for the No. 1 sales region in the company, are you?”
Mark has been working to improve the image of Maverick’s internal audit department and doesn’t want to compromise his relationship with the vice president of the most profitable region in the company. But at the same time he sees reports of security breaches in the news with increasingly regularity, and he doesn’t want Maverick to become front page news either. Was Jason’s decision to move forward without corporate involvement such a bad idea? Sales were in fact up, and SalesMonster.com has hundreds of large-company clients that probably performed security assessments and due diligence before signing on. Why should Maverick spend its limited resources to duplicate what SalesMonster has already done? What type of work could Maverick do at this point anyway, considering the product has already been in place for most of the year?
Karen Tavana, CISA, CPM
IT Audit Manager
Texas Instruments Inc.
As companies move to the “cloud” for reductions in cycle time and cost, they should remember the lessons learned in the 1990s with IT outsourcing. Some outsourcing initiatives resulted in cost reduction and productivity improvements, but other companies thought that simply outsourcing to an “industry leader” would protect them and therefore failed to perform the appropriate due diligence. They did not take the time to ensure the scope of service was well defined, engage key stakeholders, or clearly establish the obligations of both parties. This caused some companies to experience unacceptable service levels and cost increases, and it left them with no mechanism for getting out of the deal.
Cloud computing is a form of IT outsourcing. No matter how big, well known, or trusted a third-party IT service provider may be, failing to perform appropriate due diligence could lead to significant organizational harm.
Mark can still protect Maverick Paper while preserving his relationship with Jason. Although Jason wants productivity improvements, he would not want to compromise his sales data or alienate his customers. Risk issues for Mark to consider include:
Many countries have laws to protect personally identifiable information and restrict certain data transfers. Protected data can include business partner contact information. The legal department should verify Maverick is not violating any applicable country laws.
How would you handle this scenario? Share your comments below.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.