Interested in this topic? Visit the links below for more resources:
Visit The IIA's website or YouTube channel for related topics and more.
00:00:02 Speaker 1
The Institute of Internal Auditors presents All Things Internal Audit Tech, sponsored by Grant Thornton.
00:00:08 Speaker 1
Cloud security has become a top board-level concern and a permanent fixture on audit plans.
00:00:14 Speaker 1
In this companion episode to the Global Best Practices, A Roadmap to Audit in Cloud Security, Adam Ross talks with Vic Rai and Adesh Gandri about the challenges of auditing in multi-cloud environments,
00:00:26 Speaker 1
regulatory requirements, and the importance of governance and shared responsibility.
00:00:31 Speaker 1
They discuss skill gaps, third-party risk frameworks, and practical approaches to building a phased cloud security audit program, helping internal auditors strengthen resilience and provide real value.
00:00:47 Speaker 2
I thought I would start, Vic, by asking you an initial question.
00:00:51 Speaker 2
Maybe you can talk a little bit about why is cloud security a critical focus now?
00:00:56 Speaker 3
Because of the rapid transition that we've seen, one is towards adapting to multi-cloud strategies.
00:01:01 Speaker 3
I mean, if you think about how cloud as a strategy was adopted, maybe 10, even 15 years ago, there wasn't a whole lot of thought about security elements of it.
00:01:12 Speaker 3
But over the years, particularly in the last three to four
00:01:16 Speaker 3
Since the pandemic, I would say 2021, we've seen a rapid adoption and digitization of just manual processes and a lot of organizations looking at going for cost efficiencies and better operations.
00:01:29 Speaker 3
And so cloud becomes like a natural flow of making things better.
00:01:35 Speaker 3
And with that, because of the very nature of cloud, that it allows you to spin up containers, turn on services,
00:01:43 Speaker 3
expand the breadth and depth of capabilities.
00:01:47 Speaker 3
Over the years, it seems that a lot of complex solutions have been moved towards the cloud.
00:01:52 Speaker 3
And in order to manage that, it requires a couple of things.
00:01:56 Speaker 3
A deeper understanding of the various technology platforms.
00:01:59 Speaker 3
It requires an understanding of the dependencies, the various laws and regulations because of the fluidity of data in the cloud environment.
00:02:10 Speaker 3
and also security and data protection mechanisms because of the numerous services that cloud platforms generally have to offer.
00:02:20 Speaker 3
And so what we've witnessed is really a widening of a gap, even skill shortage is an example, meaning that internal audit will certainly lead to help management identify the risks.
00:02:33 Speaker 3
And in order to do that, you also have to upskill and understand the risks from a holistic manner.
00:02:40 Speaker 3
I think that's just a starting point.
00:02:42 Speaker 3
But as technologies evolve, we'll certainly see and they are continuing to evolve with the adoption of AI and everything else that's going on.
00:02:50 Speaker 3
I think it's important to take a step back and see, well, how are we really doing with adoption of cloud as a strategy, as a shared responsibility model, and what are we doing to protect?
00:03:02 Speaker 3
And so a lot of questions are coming up, which is why I think it is catching up to become such an important topic
00:03:10 Speaker 3
with the internal audit today.
00:03:12 Speaker 2
Adesh, as a head of internal audit and as you described, a technologist at heart, what are your perspectives on how cloud has evolved and the role internal audit can and should be playing to help organizations assess and manage security in the cloud?
00:03:29 Speaker 4
So, I agree with everything Vic said, the technology landscape, you know, the pace at which it's evolving.
00:03:37 Speaker 4
It's mind-blowing, right?
00:03:38 Speaker 4
I mean, we all have been in the space where we have seen different generations of technology.
00:03:45 Speaker 4
Obviously, cloud is not a new topic.
00:03:47 Speaker 4
It has been around.
00:03:49 Speaker 4
A lot of firms have experimented with the private cloud, the hybrid cloud strategy, going all the way to the public cloud.
00:03:56 Speaker 4
So I think it's not a new topic, but what's really new, as Vic said, is the rapid pace at which the technology landscape is changing, and along with that, the regulatory landscape.
00:04:07 Speaker 4
So I think from my perspective, as head of Intel Audit here at DTCC, and it's a firm, as you guys know, it's a market infrastructure for the financial services industry.
00:04:19 Speaker 4
It's one of those players where we have to have the scalability that we need to support the industry.
00:04:27 Speaker 4
So cloud is very much part of our strategy.
00:04:31 Speaker 4
It's our strategic priorities as a firm.
00:04:33 Speaker 4
So I do see cloud security specifically as no longer just an IT issue.
00:04:41 Speaker 4
It's actually a board-level concern.
00:04:43 Speaker 4
And it is one of the risks that the board I know is specifically looking at, rapid adoption of cloud, accelerated by the remote work, the digital transformation.
00:04:56 Speaker 4
It just means that cloud risk is now embedded in every aspect of the business operations.
00:05:02 Speaker 4
So as internal audit, as an independent third line, I think it's very important for us to provide transparency and bring risks to the attention of those responsible for managing them.
00:05:14 Speaker 4
And we must ensure that we have a seat at the table, even in the observer capacity, in the right forums, appropriate forums.
00:05:26 Speaker 4
so that we have that adequate visibility into how cloud security is managed.
00:05:32 Speaker 4
And ultimately, the cloud security supports that secure and agile business operations.
00:05:39 Speaker 4
So it's no longer just a checkbox.
00:05:42 Speaker 4
It is a strategic enabler, and audit plays a big role in making sure that we do cover it at the right level.
00:05:51 Speaker 2
That's really fantastic and a lot of really good detail in there.
00:05:54 Speaker 2
I wanted to follow up a little bit.
00:05:56 Speaker 2
So Adesh, maybe you can talk a little bit about what your regulators or your clients' regulators are expecting as it relates to cloud security and the role of internal audit.
00:06:07 Speaker 4
When it comes to regulatory expectations, in some cases, the requirements, like you have the NYDFS Part 500, which I'm pretty sure everybody listening to this podcast would have had something to do with the Part 500 requirements.
00:06:22 Speaker 4
So when it comes to the expectations or the requirements, what's really important for Intel audit teams is to stay on top of those regulations, those industry standards.
00:06:35 Speaker 4
such as there is a NIST cybersecurity framework.
00:06:39 Speaker 4
There is, if you're using AWS as your cloud service provider, there is an AWS cloud adoption framework.
00:06:45 Speaker 4
You know, what's important is, are you staying on top of, you know, these established frameworks, the best practices, the industry guidance, as well as the regulations, you know, making sure that your audit program
00:06:58 Speaker 4
covers those important elements.
00:07:00 Speaker 4
And the difficulty of that is there is no one consistent guidance.
00:07:05 Speaker 4
There's no one consistent regulation.
00:07:08 Speaker 4
So you have to have a superset of what these different regulations demand, what some of the demands of the evolving threat landscape is, because you can't really have
00:07:24 Speaker 4
a very stagnant audit program, irrespective of what's happening in the industry.
00:07:30 Speaker 4
If you do see that there are some elevated risks that your regulators want you to audit against.
00:07:37 Speaker 4
then I think you need to have that dynamic audit plan in there as well.
00:07:41 Speaker 4
So staying on top of the emerging risks, emerging threats is as important as staying on top of the regulations.
00:07:50 Speaker 4
And this is what comes up in my discussions with the regulators that I interact with.
00:07:57 Speaker 4
And it's really up to us on how we demonstrate that we are staying on top of the threat landscape.
00:08:04 Speaker 2
Vic, any additional thoughts to add from a regulatory compliance perspective?
00:08:09 Speaker 3
Yeah, thanks, Adam.
00:08:10 Speaker 3
I think what Adish kind of outlined really kind of speaks to the importance of understanding what frameworks and standards are out there, which ones apply to you as an organization.
00:08:22 Speaker 3
So, for example, we'll see a lot of U.S.-based companies adapt towards the NIST standards.
00:08:29 Speaker 3
There is also an ISO standard that talks about cloud and various security elements around it.
00:08:36 Speaker 3
One of my favorites are the ones that I kind of typically align with closely within the audit work that we perform for our clients is the Cloud Controls Matrix.
00:08:45 Speaker 3
It has 17 key domain areas.
00:08:47 Speaker 3
all the way from looking at governance, risk and compliance related control elements to infrastructure related or infrastructure and virtualization security.
00:08:57 Speaker 3
So it offers a broad array of capability areas that can be applied within a cloud setting.
00:09:06 Speaker 3
And I think one point that Adesh mentioned earlier was very important, right?
00:09:10 Speaker 3
So the type of deployment also matters a lot.
00:09:13 Speaker 3
So whether it's a
00:09:16 Speaker 3
software as a service or a platform as a service or infrastructure as a service.
00:09:21 Speaker 3
Depending on the deployment capability model, the services can be applied and hand-picked.
00:09:26 Speaker 3
So terms can get a little bit technical, but it's important to understand two things.
00:09:31 Speaker 3
One is, what are the regulatory requirements that apply within your organization?
00:09:35 Speaker 3
And two, in what capacity are the services being utilized and what deployment models are being considered?
00:09:42 Speaker 3
With these two combinations, you can get a fair share of control requirements that will apply.
00:09:48 Speaker 3
And obviously, your scoping discussion can be determined by understanding what's important, what's relevant, and how do you get a comprehensive coverage as you try to bring comparability and consistency.
00:10:01 Speaker 3
And one last point I'll add here, Adam, is that some of these frameworks have evolved over time, and it's always healthy to keep a good traceability model.
00:10:11 Speaker 3
I think CCM, the Cloud Controls Matrix from CSA, does a pretty good job at providing cross-reference by deploying models and cross-reference to various standards.
00:10:22 Speaker 3
So I think that's a great starting point in providing some level of consistency and coverage.
00:10:28 Speaker 2
That's great, Vic.
00:10:29 Speaker 2
And if I heard you correctly, internal auditors need to think about, I'd say, the convergence of three things.
00:10:36 Speaker 2
One is the organization's deployment model or models, because there's multiple different ways to embrace the cloud, the regulatory compliance obligations that Adesh and you talked about, and then also the various frameworks that help not only govern and manage these deployments, but also articulate the control expectations based on the nature of how you're using the technology.
00:10:57 Speaker 2
And those are all.
00:10:58 Speaker 2
valuable inputs into conducting an internal audit risk assessment and establishing the audit plan.
00:11:03 Speaker 3
Absolutely, yeah.
00:11:04 Speaker 3
I mean, it provides a fair level of coverage and comparability.
00:11:08 Speaker 2
Adesh, I'd like to come back to you also when we're thinking about how internal audit reacts to the current environment.
00:11:14 Speaker 2
You had mentioned this being a board-level topic that cyber has been at the board level for an extended period of time.
00:11:21 Speaker 2
And
00:11:22 Speaker 2
As you insinuated, some more specific nuanced elements of cybersecurity and cyber risk management are now becoming more prominent.
00:11:30 Speaker 2
Have you had any conversations with your audit committee or other board members?
00:11:35 Speaker 2
And maybe you can share a little bit about some of the questions that they're asking you in relation to cloud security.
00:11:42 Speaker 4
Absolutely.
00:11:42 Speaker 4
And one of the points that we always keep discussing is, do we have the right skill set within the audit department, right?
00:11:50 Speaker 4
You know, before even we go and present them our view on, you know, how we cover cybersecurity, do we have the right skill set?
00:11:57 Speaker 4
So, you know, the key discussion that I have with my audit committee is around the skills assessment.
00:12:03 Speaker 4
So every year, let's say, as part of the audit plan that we put together, we do perform a skills gap assessment, making sure that we have not only the right number of resources that we need to cover,
00:12:16 Speaker 4
the specific audit areas, but do we have the right skills?
00:12:19 Speaker 4
So skills take a top seat when it comes to discussing with the board on how we plan to cover.
00:12:29 Speaker 4
I think, too, the board audit committee specifically wants our view on the governance structure.
00:12:37 Speaker 4
There are three lines of defense for the right reason.
00:12:42 Speaker 4
They're looking for the third line's independent view.
00:12:45 Speaker 4
on how are the roles and responsibilities split between the first line, the second line.
00:12:51 Speaker 4
One of the challenges that I see in the cloud security as a whole is lack of definition of clear roles, responsibilities.
00:13:01 Speaker 4
I say this, you can outsource the infrastructure in this environment, but you can never outsource the accountability.
00:13:09 Speaker 4
It is extremely important to make sure that
00:13:14 Speaker 4
we give our view on how the governance structure is managed.
00:13:18 Speaker 4
That is another topic that we keep discussing with the audit committee.
00:13:21 Speaker 4
And third, making sure that we, as a firm, are staying on top of the latest trends in cybersecurity world, which may impact the cloud security.
00:13:36 Speaker 4
So the continuous monitoring on how does audit, you know, keep track of the events in the industry.
00:13:43 Speaker 4
We present them on an annual basis.
00:13:45 Speaker 4
Key risk trends in the industry as well as the institution.
00:13:49 Speaker 4
That is a basis of the conversation around, you know, how do we make sure that we're covering the right areas in our audit plan.
00:13:56 Speaker 2
Vic, I want to continue the conversation around potential challenges, not only for management in terms of the
00:14:05 Speaker 2
deployment and administration of cloud environments and security, but also some of those challenges that internal audit functions may be facing.
00:14:11 Speaker 2
And Adesh talked about really three main categories here, the right skills and capabilities to assess, you know, and evaluate cloud security.
00:14:23 Speaker 2
The whole concept of being able to delegate the task, but not the responsibility to your business partners.
00:14:28 Speaker 2
And then thirdly, you know, just the pace of change.
00:14:32 Speaker 2
Are there other challenges that internal auditors need to be thinking about as it relates to cloud security?
00:14:38 Speaker 3
So the way I kind of think about cloud security is in three key areas.
00:14:44 Speaker 3
Adish talked about governance and the roles, responsibilities, and even skill sets from an internal audit perspective.
00:14:52 Speaker 3
When I look at cloud security from a governance perspective, to me, it's a concept of shared responsibility model, because anytime you
00:15:00 Speaker 3
As internal auditors, if you go and ask management, Hey, show us how you're putting controls around infrastructure or virtualization security, for example.
00:15:09 Speaker 3
And depending on the type of deployment model, that responsibility could change.
00:15:13 Speaker 3
It may be with the cloud service provider, or it may be with management.
00:15:18 Speaker 3
So it's really important to understand the deployment models to ensure that the strategy speaks clearly to the governance.
00:15:27 Speaker 3
to the roles and responsibilities, to the shared responsibility model.
00:15:30 Speaker 3
Because I think at the end of the day, when it comes to cloud, there are two elements of looking at security in the cloud.
00:15:37 Speaker 3
One is security in the cloud, which any company, regardless of the type of deployment model, you're always going to be responsible for your data.
00:15:45 Speaker 3
You're always going to be responsible for ensuring that appropriate people have access.
00:15:51 Speaker 3
to your application or your data sets.
00:15:53 Speaker 3
And you're always gonna be responsible for building applications.
00:15:56 Speaker 3
So I see it as security in the cloud where access management or control areas like application development or even data security are the areas of responsibility that stay in the cloud, and that's generally owned by the customer.
00:16:11 Speaker 3
Now, the second element of this is the security of the cloud, and that depending on the type of
00:16:17 Speaker 3
deployment model, you could have much of the responsibilities for security off the cloud with the cloud service providers.
00:16:25 Speaker 3
Now you could reach out to them, have effective ways to strengthen your contracts, and even have controls in place to ensure that there is some level of security built in.
00:16:37 Speaker 3
But you can leverage the security in the cloud and security off the cloud approach to see where the responsibilities lie and then formalize them through a
00:16:46 Speaker 3
governance mechanism or a governance model with the defined roles, responsibilities, and even adoption of the policies and disseminating of expectations to management and communication of those expectations through your policies and procedures can help kind of manage that risk a little bit.
00:17:05 Speaker 2
Yeah, that's interesting, Vic, because when I think about some of the conversations that we've had with organizations, oftentimes,
00:17:13 Speaker 2
you know, will say, Well, do you have a disaster recovery plan for this application or this environment?
00:17:19 Speaker 2
And they say, Well, yeah, it's in the cloud.
00:17:21 Speaker 2
And that very well may address their resiliency risk, but many times it does not.
00:17:26 Speaker 2
And there might not just be a sufficient awareness of the distribution of roles and responsibilities in that shared responsibility model.
00:17:34 Speaker 3
Absolutely.
00:17:35 Speaker 3
Business resiliency and technology resiliency are catching up.
00:17:40 Speaker 3
We're seeing a lot of
00:17:42 Speaker 3
clients that have some level of dependency with the applications that are in the cloud, and they may already have predefined RTOs and RPOs.
00:17:51 Speaker 3
Those are generally kind of a business-driven decision, but oftentimes you're kind of seeing that those definitions of recovery times are being defined by the cloud service provider.
00:18:02 Speaker 3
So in most cases, they're RPOs and RTOs, and sorry if I'm using too many technical terms here, but I think from a technical perspective, they may be
00:18:12 Speaker 3
within the parameters of acceptable thresholds to the business, but it also begs the question that what if the recovery objectives are not met, and then what?
00:18:24 Speaker 3
And so there have been a number of outages that we've seen in the recent past, and that was another topic that we had a...
00:18:31 Speaker 3
pretty deep discussion on with my other clients and colleagues, which is the area of responsibility should there be an outage.
00:18:39 Speaker 3
And so what options do clients have?
00:18:41 Speaker 3
Generally, if they have a lot of dependency with a single cloud service provider or even not enough built-in to protect themselves, then that can be an area of consideration and an area of risk that needs to be addressed.
00:18:57 Speaker 2
Thank you.
00:18:58 Speaker 2
So you both have done an excellent job laying the groundwork for why cloud security should be part of an internal audit plan.
00:19:08 Speaker 2
And I think there's sufficient motivation for those that might be listening that haven't had cloud security on their audit plan to give a consideration.
00:19:15 Speaker 2
Adesh, maybe you can talk a little bit about where those organizations might want to start auditing cloud security, and if there's any specific foundational elements that should be prioritized over others?
00:19:27 Speaker 4
Yeah, great question.
00:19:29 Speaker 4
So I think the first step in the cloud security audit is actually not technical, right?
00:19:35 Speaker 4
I mean, it's about asking who's responsible for what, because if you're unable to answer that, I don't think you're ready to audit the cloud, right?
00:19:43 Speaker 4
So starting point should always be the governance and strategy, right?
00:19:47 Speaker 4
Where we need to review the management's approach.
00:19:51 Speaker 4
the roles, responsibilities, policies, regulatory requirements, all the things that we talked about earlier.
00:19:59 Speaker 4
How does it all come together?
00:20:01 Speaker 4
And how are you defining those roles and responsibilities?
00:20:04 Speaker 4
As we mentioned before, shared responsibility model is even more important in terms of the cloud security because, yes, we use the big league in terms of the cloud service providers.
00:20:19 Speaker 4
But that doesn't really, shy you away from owning your risk. You still have to own the risk. So, shared responsibility model is important. And, in terms of how...
00:20:32 Speaker 4
We should begin auditing after you go through the governance, the strategy, et cetera. Once you are in the field work, it's very important to obtain things like, let's say, the SOC reports from the cloud providers, independently look at how are those cloud providers managing the cloud security on their side. The goal for us should be that there should be no gaps or no ambiguity with respect to
00:21:02 Speaker 4
the accountability, because that's really the foundational element of the secure cloud environment.
00:21:07 Speaker 4
And then comes your technical elements, looking at the cloud configurations, whether they are in line with what the expectations are. There is the identity and access management, which I'm sure is a favorite topic for most of the listeners here. Assessing the user access in the environment in the cloud setting is important.
00:21:32 Speaker 4
Because again, just the fact that you're on the cloud doesn't make it secure. So those technical things will follow, but you really need to start at the basic about who's responsible for what and cover that governance structure.
00:21:46 Speaker 2
I would agree, because if you don't know what you have, who's responsible for it, how can you effectively audit it? So really first understanding the strategy, the distribution of responsibilities, the intended use, and who's responsible.
00:22:01 Speaker 2
will likely identify several improvement opportunities to increase transparency and possibly standardize operations in that regard without needing to bring a technical cloud skill set to the audit.
00:22:14 Speaker 4
Very interesting. But at the same time, it's really important to have the right skill set on your team.
00:22:22 Speaker 4
who can also look at the public cloud from the technical elements perspective. So for example, we focus a lot on upskilling. So we have many of our auditors who have gone through the AWS public cloud practitioner certification as an example, where we are upskilling the staff in the specific cloud service provider audits.
00:22:48 Speaker 4
We recently also went to a summit with the AWS team where they showcased something called AWS Audit Manager, which could be of use in future and we have provided our comments around that to them as well.
00:23:05 Speaker 4
But these are the additional things that we are doing to make sure that we have the right skill set and, you know, the current skill set that we need to audit the cloud environment.
00:23:15 Speaker 2
Continuing to get a little more on the technical side after we get our arms around governance and process, Vic, maybe you can talk a little bit about cloud security posture management, and I'll provide our audience here a little bit of an overview and how internal audit can assess the different components of cloud security posture management.
00:23:35 Speaker 3
Whenever we're helping our clients out with a cloud security audit, governance is always a starting point. It gives everyone a starting point to see what can be done, how do we need to think about security. And then comes the technical part, right? That's where a lot of the technical related configuration elements come into question.
00:23:55 Speaker 3
And one of the biggest reasons for why this is important is that a large number of data breaches that have occurred, if you take a look at it even recently or in the recent past, a number of these breaches or data loss events happen because of misconfiguration. And the good news is that a lot of the major league providers do give that ability to
00:24:18 Speaker 3
take a look at your security posture. Now, whether you're utilizing those services effectively or not, that's a different question. But the ability to understand and review the configuration elements is already out there. So there's two ways in how we can look at it. And there's probably more ways than that, but I'm going to try and simplify it in two ways. One is a cloud security posture management, typically looking at configuration elements.
00:24:45 Speaker 3
whether it is your containers, your S2, or any OS-related configuration elements, or even infrastructure-related security, there's that. But then there is a second element which typically gets missed out. That is the data element of it. So if you don't know where your data is, you can't do enough to protect it. So it's important to take the second
00:25:10 Speaker 3
approach where you're getting an understanding of your current data clusters in the cloud. You're able to know which data clusters are sensitive or now. And depending on your data clusters and whether they're sensitive or not, you can classify them and then run deeper scans to see, are those configured and protected appropriately or not? So it gives an additional layer of coverage, if you will.
00:25:38 Speaker 3
Because traditionally, if you run just a vulnerability scan kind of a tool that would look at all the misconfigurations or elements that need to be updated or refreshed, that's one. But then the second approach, which is a data-first approach, taking a data security posture management lens, also gives you a much more comprehensive coverage. And like I said, there are tools that have evolved over time that allow you to
00:26:04 Speaker 3
take a look under the hood and run a scan and look at the data clusters and be able to classify and give you a sense of where your data sets are, which ones are critical and which ones are at risk of being exposed. And then you can put control selectively. I do find the second approach a little bit more relevant to what we're trying to protect.
00:26:29 Speaker 3
Now, you can put a biggest lock in front of a door, but if there's nothing behind the door, then the implementation of that effort is not going to turn into anything useful. Whereas if you're able to kind of lock down in areas that need to be protected and then take security measures and evaluate those controls and put them more effectively, can help get you a better sense of comfort to know that, yes, you manage the risks and you have
00:26:56 Speaker 3
visibility into where data is flowing. I'll just close with one other point, Adam, and then I'll turn it back to you, is that the cloud environment is continuously evolving. And that's one of the biggest challenges. It's easy to right click and spin up a new container and start up a new project or turn on a new application. But at the back end, if you're not doing enough to keep up with the rapid evolution or rapid
00:27:26 Speaker 3
the progress that is being made at the application level, then we tend to kind of miss out on those. And that's what kind of leads into areas that evolve into risks that make the headline. So hopefully, you know, obviously there's no silver bullet, but if you take the three step approach, which is a combination of what Adesh mentioned earlier, taking a look at governance, rules, responsibilities, shared responsibility model, contracts supporting it, even exit strategies need to be considered there.
00:27:54 Speaker 3
That's all in governance. And then you can take a look at security posture through CSPM tools and technology platforms that are out there. And then taking a third step approach, which is a data-first approach towards cloud security. So I think with these three, it gives a fairly decent plan that you can run with and provide support to the business. So, I mean, those are my thoughts. Obviously, I'll welcome any other questions, suggestions, but I'll pass it back to you then.
00:28:24 Speaker 2
Thank you, Vic. And what I heard loud and clear is not only do you need to be concerned as internal auditors about the application or the platform security and configuration, but really understanding what data is stored where and what it's being used for and how significant and important it is to the organization, 'cause that should inform your risk assessment and audit plan.
00:28:47 Speaker 2
Because you can't ignore the security controls over the data in favor of the security controls within an application or platform and vice versa. You need to be considering both to ensure that your data has integrity, it's in the locations that you want it to be, and it's adequately controlled and limited to authorized individuals.
00:29:07 Speaker 3
Absolutely. You nailed it. Thanks, Adam.
00:29:10 Speaker 2
Okay, very, very interesting. So we've been going strong here for over a half an hour, and I want to bring it home with Adesh here and also get your guys' final thoughts on this important topic. So we've talked about the different topics and components of cloud security that can be incorporated into an audit plan. We've talked about
00:29:32 Speaker 2
where internal audit functions might want to start considering cloud security and related risks in their audit plan. Adesh, what recommendations do you have for our listeners in terms of building out an effective cloud security audit program over time? We know that they, we can't tackle everything at one time. So how would you recommend approaching a reasonable amount of risk coverage in a period of time?
00:30:01 Speaker 4
Auditing cloud security is a journey, right? It's not a one-off project that, you do it once and, okay, I'll come back to it, two years from now or three years from now. It's an ongoing journey, and you know what's really important is...
00:30:16 Speaker 4
how cloud security as a topic is integrated into the enterprise risk management framework. And more importantly, from audit perspective, how it's integrated within the internal audit plan. So I don't think it's a topic that can be covered in just one audit in the year, but we want to make sure that you are covering the right elements that are related to the cloud security in the respective audit. So for example,
00:30:43 Speaker 4
I mentioned about the identity and access management. It's a key element, but of course, it's not a cloud-only topic. But if you are going to look at the identity access management enterprise-wide, make sure that you are including cloud security as part of your coverage. There is the important angle of the third-party risk management. I mean, I can't stress enough.
00:31:06 Speaker 4
how important third-party risk management and the nth-party risk management has become, especially when you have the cloud service providers also leveraging the other vendors, other service providers, where ultimately you as a firm leveraging this cloud service providers is still responsible for the risk. You still own the risk. So making sure that you have a robust
00:31:32 Speaker 4
third party risk management in place is important. So in terms of internal audit, make sure that you are looking into the third party risk management and especially whether people are involved, right? SMEs, the subject matter experts are involved, how are they doing the inherent risk questionnaires? I mean, there's so many things. I mean, that's a different podcast in itself.
00:31:58 Speaker 4
but making sure that you are not only focused on the cloud security processor management, data security posture management in the cloud environment, but all these other peripheral enterprise-wide processes that are important and do impact cloud security. How does Intel Audit include that and incorporate that as part of the audit plan? And as I mentioned even before,
00:32:23 Speaker 4
Doing this with some method to madness with respect to having that appropriate audit program, mapping it to the specific standards, the regulatory requirements, that is that phased approach, that journey that I mentioned before that audit needs to have. And the goal for us is to make sure that the cloud risks are managed in real time.
00:32:49 Speaker 4
And it's not an afterthought.
00:32:50 Speaker 2
Certainly preventative and proactive is always better than detective and reactive to the extent possible. So completely understand and appreciate that perspective. Vic, any additional thoughts on considerations for building out a cloud security audit plan over a period of time, which could be multiple years?
00:33:11 Speaker 3
Yeah, absolutely. And so it's an interesting concept because I can share a real life example of how we, and this is about three years ago, but that strategy really works if you think about cloud security audits as when you're planning for it.
00:33:29 Speaker 3
Right, so if I'm a business owner and I have, let's say, five business applications that are sitting on one cloud provider, and I'm providing this example because many of our listeners here will be probably dealing with a multi-cloud environment or a hybrid cloud environment. And so it becomes important to think about how do we tackle this? So you have, so again, going back to my example, let's say you have
00:33:55 Speaker 3
10 business apps that are in scope. And then five of them are on a primary cloud service provider. Let's say that's on AWS or something. And then you have others that may be on Microsoft or Google or others. And so when you're thinking about your cloud audit plan, obviously when it comes to governance, you can span across all business apps. It's generally business.
00:34:19 Speaker 3
app agnostic, and so that can be done separately. But when you're starting to get into the technical components of it, I think you'll want to consider by providers. Reason is simpler. Whenever you are looking at the security elements, often, there'll be a number of configuration elements that will be designed based on the cloud provider. So whether that's AWS, you might have a unique set of configuration settings that you can evaluate.
00:34:48 Speaker 3
And same thing with Azure or even GCP. So if you phase your audit plan in a way that looks at business apps by providers, and obviously you'll have to risk rate which business apps are going to be critical, and then have a phased approach over a two to three year plan that can provide comprehensive coverage within each of the segments that you're going after. So I think a combination of that certainly needs to be considered as you're building the plan out.
00:35:17 Speaker 3
But the more important aspect of it is to take a step back and see how did management address the areas of improvement that were shared in the prior audit and then continue to build on that because chances are that because of the nature of the cloud environment and the platform, it is likely that it may have evolved. And so you may need to go back and take a fresh look.
00:35:42 Speaker 3
especially if it's been over a year, if you haven't looked at it in its entirety. So a phased approach with a combination of consideration of the platform dependency, as well as the risk ranking of the business apps, should give you a pretty decent starting point. I hope that answers your question, Adam. But we work with the clients and we've tried different ways, and I think what I was sharing here was some of the most effective ways that we were able to kind of help design the audit plans.
00:36:11 Speaker 2
No, I think it makes a lot of sense. It's the intersection of the target system and the topical areas you're trying to cover. You know, it's the old -- is it a thematic-based internal audit that you're covering a lot of different areas of the same topic, or are you trying to go a little bit deeper in a given target system or environment, or both based on the implementation and complexity? So, absolutely a critical consideration in building the audit plan.
00:36:40 Speaker 2
This has been a fantastic conversation, and I greatly appreciate both of your insights and experiences here. Before we end our conversation, I just wanted to open it up for any final thoughts you would like to share with the audience as they continue their cloud security kind of internal audit planning and execution. So, Adesh, I'll start with you.
00:37:02 Speaker 4
The main key takeaway here is consider Intel Audit to play a big role in terms of the overall cloud security governance model that you have in the firm. So early and continuous involvement by Intel Audit, it actually does help ensure that there are no surprises and that the cloud risks can manage effectively. So you do play a big role as the independent third line.
00:37:28 Speaker 4
and make sure that cloud security, as I mentioned before, is not an afterthought. It should be woven into the organizational risk management fabric, right, which then we need to provide the assurance services for. So make sure that the internal audit function that you are part of is proactive, collaborative,
00:37:51 Speaker 4
And making sure that you're looking that as one of the highest risks that you cover and stay on top of what's happening in the industry. I mean, make sure that you don't fall into the trap of a check the box auditing and have a blind eye towards what's happening in the threat landscape, which is evolving very rapidly.
00:38:16 Speaker 3
One or two other points that I just think
00:38:18 Speaker 3
that are extremely valuable, just building on to what other shared earlier, is just making sure that we're being transparent, right? Risks are risks. And this is, I think, the intent of the organization in any capacity, no matter where they are on their cloud journey, is to be able to serve the business, to reduce the risks, and to bring efficiencies. And so it's important to be transparent. It's important for internal audit to upskill and provide the
00:38:47 Speaker 3
insights necessary for management. Sometimes when a different person looks at the same content, can see things differently, and that's generally helpful. So constructive mindset is really important there. And then also, just to kind of sum this up, cloud is going to be always evolving. So regardless of when the last audit was, it's always important to keep a close eye on any changes, any recent developments, any
00:39:14 Speaker 3
structural changes that could have an impact is important. And I think to wrap it up, as long as we're kind of keeping all these aspects of skill sets, roles and responsibilities, transparency and governance.
00:39:28 Speaker 3
And then looking at the technical components, I think we'll see a better plan as internal audit starts to mature their audit approach in tackling such a complex environment. So once again, I also appreciate Adesha's feedback and thoughts and how he's seeing. So I think this is going to be a continuously evolving journey.
00:39:46 Speaker 4
Yeah. And so before, Adam, you jump in, I just had one final thought on top of the final thoughts that Vik and I shared.
00:39:55 Speaker 4
So, this is going back to one of the message that I shared at an IA conference recently, which is, how can you position Intel Audit as a value center and not a cost center?
00:40:08 Speaker 4
You know, cloud security is a topic where you can demonstrate the tremendous value that you can add to the firm, you know, showing, you know, not only, you know, through the audits, the assurance activity you do, but maybe developing some, you know, continuous tests or maybe developing, you know, some of these capabilities that, you know, the ideas that you can share with the management so that, you know, they can get better in unlocking their potential, right?
00:40:32 Speaker 4
So, you know, positioning audit as a value center is, is, is an extremely important role
00:40:38 Speaker 4
that we have as internal auditors, and this is an excellent topic to do with.
00:40:43 Speaker 2
Well, Adesh, you touched on a topic that I know we as internal auditors are constantly challenging ourselves with, which is how can we bring more value to the organizations that we're partnering with
00:40:54 Speaker 2
But whether we're internal to an organization or a service provider, and this is an excellent area, I completely agree, where internal audit can really lean into help management and the board.
00:41:05 Speaker 2
So we've covered an awful lot of ground in a relatively short amount of time.
00:41:10 Speaker 2
And speaking for myself, it's been extremely informative.
00:41:12 Speaker 2
So I'd like to thank Adesh and Vic for their experiences.
00:41:17 Speaker 2
and insights and suggestions on tackling this very important and relevant topic.
00:41:22 Speaker 2
And I'd like to thank all of our listeners for joining us today.
00:41:25 Speaker 3
Thank you, Adam.
00:41:26 Speaker 4
Thank you, Jordan.
00:41:28 Speaker 1
Banking on big changes?
00:41:30 Speaker 1
Spark your next audit breakthrough at the 2025 Financial Services Exchange, where you can hear more from this episode's guest, Adesh Gandre, live November 3rd to 4th in DC or from your laptop.
00:41:42 Speaker 1
Fresh insights, smart peers, and 13 CPEs to boot.
00:41:46 Speaker 1
Head to the iia.org to save your spot.
00:41:49 Speaker 1
If you like this podcast, please subscribe and rate us.
00:41:52 Speaker 1
You can subscribe wherever you get your podcasts.
00:41:55 Speaker 1
You can also catch other episodes on YouTube or at the iia.org.
00:41:59 Speaker 1
That's T-H-E-I-I-A dot O-R-G.
