As internal auditors, whether we have IT in our educational background or not, we have learned the basics around IT General Controls because so much of the control environment resides in systems. Many of us are familiar with COBIT, which outlines the key IT control objectives in terms non-IT auditors understand. But, if asked by our Audit Committees to explain what part of the IT environment resides in the Cloud and how does Internal Audit’s risk assessment and audit plan address Cloud-related risks, how many of us could answer that question completely?
Your company has likely moved at least one key system to the Cloud and significant attention was paid to carefully assessing vendor credibility and impact to internal controls. However, with the ease of moving systems to the Cloud, there are likely other systems and components of the IT environment that have been moved to the Cloud that did not receive the proper risk and control analysis.
In today’s world where companies are moving most, if not all, of the IT environment to the Cloud, internal auditors need to comprehensively understand: 1) your organization’s Cloud strategy, 2) how the company manages Cloud risks, and 3) Internal Audit’s role in providing assurance around Cloud controls.
If you haven’t spent time broadly understanding your organization’s Cloud footprint, here are few starting points:
Become Versed in the Basics
There are three service delivery models. Many companies use a combination of the three to construct the most efficient and effective IT environment:
- Infrastructure as a Service (IaaS): Provides online processing or data storage capacity.
- Platform as a Service (PaaS): Provides the application development sandbox in the Cloud.
- Software as a Service (SaaS): Provides a business application used by many individuals or enterprises simultaneously. This is the most commonly understood form of Cloud service.
There are four Cloud deployment models. Again, companies use mix of deployment models to ensure the cost is commensurate with the risk.
- Private Cloud: Has one enterprise as its user.
- Public Cloud: An offering from one Cloud Service Provider (CSP) to many clients who share the Cloud processing power simultaneously.
- Community Cloud: A private-public Cloud with users having a common connection or affiliation, such as same industry or common locality.
- Hybrid Cloud: A combination of two or more of the previously mentioned deployment models.
Understanding the basics will provide the foundation for effectively evaluating the different risks posed by the service delivery and Cloud deployment models.
Understand Your Company’s Cloud Strategy
The level of documentation underlying IT environments varies. Work with your CTO to review and understand the IT environment, including what parts reside in the Cloud and what remain “on premise”.
If there is no documentation, or outdated documentation, host a whiteboard session and have the CTO map it out with you.
Once you understand the current state of IT – an important question to ask is: what are the company’s plans to migrate more to Cloud and when?
Perform a Cloud Risk Assessment
Now that you can talk Cloud and understand your company’s IT environment, performing a Cloud Risk Assessment is the next step to further understanding what the “Cloud” means to your organization.
With most Cloud solutions, the organization has less direct control of the solution and consequently a higher level of inherent risk. Common risks areas include:
- 3rd party risk
- Reliability and Availability
When evaluating significance and likelihood of risks, consider:
- Formality of the Governance and Oversight structure
- Clear articulation of a Cloud strategy
- In-house skills, talent and ongoing training
- Maturity of security protocols
- Regulatory compliance implications
- What areas of the IT environment have not received recent independent audit attention
Identify and Map your Cloud Controls
Cloud Control Frameworks: Once you have a clear understanding of the risks, inventory the controls that Management has in place to manage those risks. Control frameworks are evolving, but some popular ones include ISACA’s COBIT 4.1 and Cloud Security Alliance’s Cloud Security Matrix.
There are several out there, some are industry specific, so select one that works for your organization. And in some cases, leverage the best concepts of a few frameworks and tailor a control framework for your organization.
Update Traditional IT Controls to Cloud Controls: With a broad understanding of what parts of the IT environment are in the Cloud and what parts are planned to move to the Cloud, ensure your organization’s Risk & Controls Matrices (RCMs) are updated to reflect Clouds-specific risks and controls. In many cases, citing traditional IT controls is not sufficient or accurate.
Controls beyond Vendor Management controls: Many equate “Cloud control audits” to third-party vendor audits. However, when partnered with a Cloud SME, Internal Audit can add much more value by ensuring the Cloud infrastructure has been effectively implemented and that the Governance model and Cloud Strategy is well designed for the organization.
Performing the above steps is the foundation Internal Audit needs to ensuring your organization is positioned well to assess other related risks such as Cybersecurity and Data Governance risks.
Now, when you hear that your organization is moving everything to the Cloud, or when your Audit Committee asks you to explain Internal Audit’s approach to auditing the Cloud, you have a road map that will yield an answer that non-IT business colleagues will understand.