Cloud computing has quickly soared to become a dominant business technology. Public cloud adoption, in fact, now stands at 91% among organizations, according to software company Flexera's State of the Cloud Survey. And it's only expected to grow from there. Analysts at Gartner say more than half of global enterprises already using the cloud will have gone all-in by 2021.
Collectively, that places a lot of responsibility for organizational data outside the enterprise. And while cloud migration can lead to significant efficiencies and cost savings, the potential risks of third-party data management cannot be ignored. Reuters, for example, recently reported that several large cloud providers were affected by a series of cyber intrusions suspected to originate in China. Victims, Reuters reports, include Computer Sciences Corp., Fujitsu, IBM, and Tata Consultancy Services. The news agency's chilling quote from Mike Rogers, former director of the U.S. National Security Agency, emphasizes the gravity of these breaches: "For those that thought the cloud was a panacea, I would say you haven't been paying attention."
As noted in this issue's cover story, "Security in the Cloud," growing use of cloud services creates new challenges for internal auditors. Writer Arthur Piper, for example, points to issues arising from the cloud's unique infrastructure and the "lack of visibility of fourth- and fifth-level suppliers." He also cites the cloud's opaque nature and rapid pace of development as potential areas of difficulty. Addressing these issues, he says, requires internal audit to work with a wide range of business stakeholders — especially those in IT — and to secure staff with the right type of expertise.
The need to focus on these areas is supported by a recent report from the Internal Audit Foundation, Internal Auditors' Response to Disruptive Innovation. Among practitioners surveyed for the research, a consistent theme emerged with regard to cloud computing — to be successful, internal audit should build relationships with IT, before moving to the cloud. Multiple respondents also recommend bringing in personnel with specialized IT skills to facilitate the evaluation of cloud controls. Moreover, they noted the importance of evaluating not only standard internal controls in areas like data security and privacy, but soft controls, such as institutional knowledge, as well.
Of course, cloud computing is only the tip of the iceberg when it comes to challenges around disruptive technology. Among other IT innovations affecting practitioners, artificial intelligence and the Internet of Things are equally impactful. We examine each of these areas in "Stronger Assurance Through Machine Learning" and "Wrangling the Internet of Things," respectively. And be sure to visit the Technology section of our website, InternalAuditor.org, for insights and perspectives on other IT-related developments affecting the profession.