http://www.theiia.org/intAuditor/ask-the-experts/2011/head-in-the-clouds/ Blogen-us Wed, 08 Feb 2012 07:48:57 AMWed, 08 Feb 2012 07:48:57 AM http://www.theiia.org/intAuditor/ask-the-experts/2011/head-in-the-clouds/2011-08-05I would agree with the issues mentioned above for Mark to consider. Adequate BCM/ DR arrangements are imperative. Also, the contractual agreements should include the following: a) the right for Maverick's internal and external auditors to access the service providers premises and records for audit after giving reasonable notice. b) if Maverick is part of a regulated industry, the right for the concerned regulator to get unhindered access to the service provider's records. Also, it needs to be seen that in case Maverick is part of a regulated industry then is the concerned regulator required to be notified of this cloud computing arrangement, either for information purposes only or for approval? SInce the owner of the arrangement in this case is the Sales team, they should document a risk assessment highlighting the key risks arising from the arrangement with the corresponding mitigants that should be reviewed by the internal audit team in this instance. This is in line with the RCSA conceot adopted by several leading organizations and should help to further strengthen controls. Thanks. Rohit Abbey http://www.theiia.org/intAuditor/ask-the-experts/2011/head-in-the-clouds/2011-08-04Being the most profitable division in the company does not give the division vice president the right or royal perogative to disregard those corporate policies and corporate decision making processes that he disagrees with. That's a common rationalization made by those who do things without proper authority. The situation has to be written up and moved up the chain to the President of the organization and if serious enough to the Audit Committee. The President may wish to condone the activity retroactively which can mitigate the move to the cloud but nonetheless the incident and executive decision should be documented. There may well be others who will also be found to have been complicit. Cloud agreements are often multi-year and can be financially material that procurement rules were breached. Transitioning to the Cloud often requires some IT involvement so there may be issues with the organization's enterprise IT change processes. From a monitoring perspective, it's incredulous that the central office did not notice a significant reduction in the payments processing from this division. It's an opportunity to implement audit analytics to monitor their AP which could have provided earlier detection (and possible prevention if the VP thought his actions would be detected). http://www.theiia.org/intAuditor/ask-the-experts/2011/head-in-the-clouds/2011-08-04At our firm, we have significant concerns about cloud computing. One key concern is as to the ownership of data when it resides in a non-exclusive environment and it can be stored anywhere throughout the globe. This can be a contractual issue that is unique to cloud computing. http://www.theiia.org/intAuditor/ask-the-experts/2011/head-in-the-clouds/2011-08-04I would first point out to Jason that Internal Audit is not there to make life more difficult, but to confirm that Mark has weighed all of the risks vs. the benefits. I would add that we prefer to look at changes in advance so that we can point out potential problems before the company is in a difficult situation. I would then tell Jason that Dirk will be auditing the process now and preparing a report including, of course, recommendations to address any issues found.