Auditing the Cloud <b><font color=”#ff0000”>NEW</font></b> - Training - The Institute of Internal Auditors (IIA)
IIA On-site Seminars
To schedule your on-site or custom program call 1+407-937-1388 or e-mail onsiteseminars@theiia.org.

On-site & Custom Programs Home

Auditing the Cloud NEW

Your opportunity to...
  • After this course participants will be able to:
  • Discuss business benefits of Cloud Computing
  • Distinguish between the various forms of Cloud Computing
  • Prioritize and recommend risk mitigation strategies for addressing Cloud Computing concerns
  • Explain contract compliance fundamentals, with a focus on the “Terms and Conditions” that can be used to protect each party
  • Discuss recent cases and events affecting Cloud Computing service providers and their customers
  • Prepare an Organization-specific audit program for Cloud Computing
Calling all...
  • Attendees should have a minimum of three to five years of experience, and have completed a variety of Operational and/or Financial Audits.
  • IT Auditors and IT Managers are welcome to attend; however, this is a course on the contractual and management issues associated with Cloud Computing. This is not a technical IT Audit class.
  • Chief Audit Executives seeking to understand the key risks and opportunities related to Cloud Computing should also plan to attend.
Course Description

This course introduces the seemingly new and specific risks of the various types of Cloud Computing. Through reviewing recent Cloud Computing failures and breaches, together with a detailed discussion of traditional contract compliance issues and associated risk mitigation strategies, participants will come away with an ability to assess and prioritize risks associated with their organization’s planned or existing implementation(s) of Cloud Computing.

This course also emphasizes established tools and techniques to assess and prioritize these risks. Course exercises will provide attendees the opportunity to prepare an audit program specific to Cloud Computing for their organizations. Best practices for reporting, including use of visual models to communicate the location of data and responsibility for controls, will be featured.

Prerequisites: Supervisory or managerial experience is recommended. Business and auditing experience, including interviewing, negotiation, and reporting skills are recommended.

Advanced Preparation: None is required. However, attendees may benefit from building an inventory of cloud computing systems being used or proposed at their organization. Time permitting; examples from participants may be incorporated in addition to those in the materials.

Delivery Method: Group-Live


Course Outline
Recent Failures and Breaches in Cloud Computing
  • Discuss cloud computing risks at your organization, based on examples of failures or breaches at other organizations.
  • Discuss recent headlines of cloud computing failures and breaches.
  • Consider the operational, financial, legal, and compliance implications of these headlines for your firm
IT Risk Assessment Frameworks
  • Explain IT risk assessment frameworks, focusing on confidentiality, integrity, and availability.
  • Clarify the “new” risks of cloud computing, including security, availability, compliance, co-location (i.e., multi-tenancy), sustainability, and scalability.
  • Compare these “new” risks against other known risks and controls, using existing IT and operational audit frameworks and techniques.
  • Begin to develop a cloud-focused risk assessment at your firm that considers organization-specific risks and compliance requirements.
Business Benefits of Cloud Computing (Why the Cloud?)
  • Compare and contrast cloud computing against more traditional IT systems and controls.
  • State the business benefits of cloud computing, including efficiency, scalability, and flexibility.
  • State the prevalence of cloud computing.
  • Identify some of the cloud providers and distinguish between their service offerings.
Defining the Buzzwords
  • Establish a common vocabulary for cloud computing.
  • Compare public, private, and hybrid cloud computing.
  • Distinguish between SaaS, IaaS, PaaS, and DaaS forms of cloud computing.
  • Contrast cloud computing and virtualization.
Develop a Risk-assessment Questionnaire for Your Enterprise
  • Develop a risk-assessment questionnaire to prioritize organization-specific risks associated with cloud computing.
  • Prepare a cloud-focused risk assessment for your firm that considers organization-specific risks and compliance requirements.
  • Execute a cloud-focused risk assessment for your firm that considers organization-specific risks and compliance requirements.
  • Leverage and build on your team’s existing approach to risk assessment.
Risk Responses
  • Recommend risk response options — including risk avoidance, risk reduction, risk sharing, and risk acceptance — given specific risks of cloud computing.
  • Discuss classic risk mitigation techniques as they relate to cloud computing.
  • Identify a scenario where each of these risk responses would be appropriate.
Contract Compliance Fundamentals
  • Explain contract compliance fundamentals, with a focus on the kinds of terms and conditions that can be used to protect each party.
  • Discuss any company-specific or industry-specific requirements that should influence an agreement with your cloud computing vendor(s).
  • Compare standard “click-through” agreements and compare/contrast with the T’s and C’s associated with other common service-level agreements.
User Controls
  • Inform management regarding the importance of user controls in preparing for security breaches or outages related to the use of cloud computing services.
  • Compare the responses and associated consequences for NetFlix, Reddit, Quora, and Foursquare during the Amazon EC2 cloud outage of April 2011.
  • Recommend user controls that would avoid, reduce, share, or even accept the risks associated with cloud computing security breaches and outages.
Recent Litigation Cases
  • Apply data points from recent cases and litigation against organization-specific risks related to cloud computing.
  • Discuss recent IT litigation cases and related news events affecting cloud computing providers and their customers.
  • Debate who should approve risk acceptance for cloud computing agreements at your organization.
Developing Your Audit Program
  • Develop a Company-specific audit program to assess and mitigate your organization’s risks of cloud computing.
  • Develop a company-specific audit program based on topic areas discussed in class.

    1. The first portion of the audit program will focus on activities to be performed prior to using any new cloud computing vendors coming into use.

    2. The second portion of the audit program will focus on audit activities to be performed for existing cloud computing vendors.

© 2010 The Institute of Internal Auditors / 247 Maitland Avenue Altamonte Springs, FL. 32701-4201 USA / +1-407-937-1100 / FAX +1-407-937-1101 • www.theiia.org