Although Jean-Michel Garcia-Alvarez was used to working as a high-level internal auditor in the financial services sector, 2015 presented him several novel challenges. First, he was appointed head of internal audit — and later also data protection officer — at a new, fintech challenger bank in London called OakNorth. It had received regulatory approval from both the Prudential Regulatory Authority and the Financial Conduct Authority in August 2015 — one of only three U.K. banks to do so in the past 150 years. Second, OakNorth wanted to be the first U.K. bank with a cloud-only IT infrastructure, which was not an area he specialized in during his previous audit roles at Nationwide Building Society, RBS, or Barclays.
Garcia-Alvarez realized that traditional audit skills would be of limited use because of the cloud’s newness and evolving nature, with little precedent in the scope and range of how to approach it as an internal auditor. So, he decided to obtain an IT audit certificate from the U.K.’s Chartered Institute of Internal Auditors (CIIA). It boosted his IT audit skills and forced him to get to grips with how to approach cloud auditing and security. It also made him a credible security player in the business.
At the same time, he says internal auditors must adhere to the fundamental remit of audit, which, for OakNorth, is the CIIA’s Financial Services Code. One of the first sentences of that document says internal audit’s primary role is to help senior management protect the assets of the business — in this case from hacking, data breach, and leakage.
“That is absolutely the role of internal audit in cloud security,” Garcia-Alvarez says. When businesses are migrating to and operating in the cloud, internal audit needs to provide assurance that the cloud infrastructure is safe, secure, and able to meet the firm’s objectives — not just now, but in the future. “The way to do that is to be embedded as the third line of defense and to provide real-time feedback on risk and controls, and to assure the board that you are mitigating risk with data — not creating new ones.”
While cybersecurity has long been on auditors’ lists of regular assignments, securing today’s cloud poses fresh challenges. The very structure, speed, and opacity of the cloud demands a focus away from traditional auditing. Having systems in place to deal with data breaches, data loss, and ransomware attacks is mostly standard today, but issues arising from the unique infrastructure of the cloud, the lack of visibility of fourth- and fifth-level suppliers, and the need to work in tandem with both the cloud provider’s own security teams and a wider range of stakeholders across the business are growing challenges for internal auditors dealing with cloud security.
OakNorth’s journey is a good example of how the speed of change impacts internal audit’s security concerns. Like many businesses, OakNorth’s cloud provider in 2016 was Amazon Web Services (AWS). As a large global player, Garcia-Alvarez was happy that AWS could be responsible for the security of the cloud, while OakNorth was responsible for security in the cloud. That theoretically makes it easier for internal audit because the function can regularly check and rely on the up-to-date certifications maintained by the cloud provider. Audit can then focus almost entirely on the internal security control environment. In reality, though, for cloud security to be robust auditors also need to keep up with changing laws, rules, and regulator expectations.
“Those can change very quickly,” he says. In 2016 when OakNorth migrated to the cloud, the U.K. financial regulator was happy with the decision and with the company’s cloud provider — because it was big, safe, and secure. But when other banks followed suit by 2017, the regulator decided it was a potential concentration risk. If AWS went down, it would take a huge slice of the U.K. financial services sector with it. As a result, OakNorth moved to a multi-cloud solution for all of its client-facing technology.
From the outset, OakNorth used cloud data centers, provided by AWS, in several locations in Ireland, with an additional fail-safe elsewhere in Europe. “That one is like a bouncy castle,” Garcia-Alvarez says. “The shell is there, but the engine is off. Turn on the engine and it will be fully blown up and working in a matter of hours.” Just to be sure, the IT team rebuilds the core banking platform from scratch at a new location in Europe once a year, with internal audit providing independent assurance over the exercises. “It is time-consuming and expensive, but at least we know that the bank is safe.”
Getting in Early
Cloud downtime is not a fantasy risk. In February 2017, for instance, AWS services on the U.S. East Coast experienced failure. While reports on technology news site The Register suggested the servers were down only about half an hour, some customers reportedly could not get their data back because of hardware failure. Another outage in March 2018 affected companies such as GitHub, MongoDB, NewVoiceMedia, Slack, and Zillow, according to CNBC.
James Bone, a lecturer at Columbia University and president of Global Compliance Associates in Lincoln, R.I., says that is just one of many reasons internal auditors should be involved early in any cloud deployment. “I don’t believe that internal auditors should be deciding which products to use, but I do think they should be very much involved in the selection process,” he says. “They need to understand the service model, what is being deployed, and how they are planning to use the services. The platform that they use will determine, to a large part, the risk exposure to the firm.”
That is because the choice of platform governs what data will be transitioned, if any will stay on the premises, access administration, business continuity plans, data breach response, ransomware strategy and response, the frameworks the service provider uses for cloud security, the frequency of monitoring, contractual agreements, and many other factors. Auditors need to be on top of the situation to raise red flags before security risks crystallize. Bone says, for instance, that he has heard stories of service providers failing during a transition to the cloud, without a backup in place from which to restore the client’s data. In this example, organizations need to know what the recovery plan is and, crucially, who is responsible for it.
“These are shared security and operational relationships between the cloud provider and the business,” Bone says. “So it is about clearly separating the different lines of accountability and responsibility at an early stage.” That includes sharing operational performance metrics and having clear escalation processes for data breaches, outages, and other security issues where the responsibilities are set out clearly between the cloud provider and the business. The internal audit team must have a realistic understanding of its own and the business’s capabilities if those measures are to be effective. “If the firm and the audit team are not particularly agile, can they use the vendor to take up some of that role?” he asks.
The opaque nature of what goes on in the cloud service provider’s business is a particular worry for internal auditors. “The biggest problem in these virtual environments is that the distance between control and assurance gets wider,” he says. Bone has been researching this idea for about four years. In digital environments, he says, risk and audit professionals have been used to testing applications because in most cases the physical hardware and data are available to see, touch, and analyze.
“As we move to a boundaryless environment, we are creating a distance between our ability to recognize a problem and having to rely on others to tell us there is a problem,” he says. “That distance impacts response time, and our ability to develop and put in place even more robust controls, because we are further away from the problem. This is an underappreciated risk and is getting larger because firms that are providing these services are getting better at managing their own risk, while as businesses go further into the cloud and have multiple cloud providers, they are becoming more removed from core processes.”
For Fred Brown, head of the critical asset management protection program at HP in Houston and former head of IT audit at the firm, dealing with cloud security while working with such shared services can create “rather large challenges.”
“The more you open your environment, the more you have to stay on top of security,” he says. Over the last couple of years, HP has been working toward being a top quartile security organization, he explains. And Brown’s cyber team has grown 70% during that time. The business has been aggressively moving to cloud services — including infrastructure as a service, platform as a service, and software as a service. Implementing a 100% review of all suppliers that would include all cloud instances throughout the business means doing a detailed security check of more than 2,000 suppliers across the enterprise.
To speed up the process, HP has contracted with a third-party assessment exchange, CyberGRX, which describes itself as supplying “risk-assessment-as-a-service.” Any subscriber can have a supplier risk assessed — once the results are in, users can view them via an exchange. The process is integrated into HP’s inherent risk-scoring program, so that all vendors except those with the highest inherent risk score are assessed by CyberGRX. The vendors with the highest inherent risk are risk assessed by internal resources. This process represents a new initiative at HP, and so far it has produced useful reports and helped the company tackle a backlog of risk assessments.
“This is removing an entire blind spot when it comes to risk,” Brown says. “Even if you have 100 suppliers who you haven’t assessed, with many connected to your company’s critical assets, whether it is employee data, or something else — if you haven’t assessed them, you have no idea what their risk profile really looks like.”
Brown says one problem is that whether a cloud-based supplier is AWS or a small online education provider, if it is managing critical data, the threat to the business is the same. With many cloud providers now outsourcing parts of their own operations, HP is putting in extra effort on fourth- and fifth-party risk management. That is why having someone track the cloud supplier landscape is critical to managing security risk, he says, enabling the organization to identify what is going on and maintain control over the process. This challenge is amplified in a company such as HP that was already complex when it began outsourcing to cloud service providers.
Working Across the Business
New suppliers need to have up-to-date and formal self-attestation certificates that follow recognized standards, such as Service Organization Controls 2 reports and adhering to the International Organization for Standardization’s ISO 27001. To make sure a business division or manager does not randomly contract with a new cloud provider, Brown’s team has what he calls a “cast-iron interlock” with procurement. Procurement knows what HP’s cloud security requirements are, and they must be included in any new contractual arrangements. In fact, Brown describes the contracts as “living,” because they point to the security requirements, which HP can update without changing the actual contract itself.
Working with AWS, HP has created a way of centralizing group security policies through the IT infrastructure. The main cloud instance has all of the group policies established — any new instance sits beneath this “parent” and effectively inherits its security policies automatically. “Every time you make a change to the group policy, it cascades to all the instances that are underneath that,” Brown explains. Non-AWS cloud instances go through the new procurement system as described earlier.
As cloud computing becomes synonymous with organizations’ IT infrastructures, internal auditors need to work more collaboratively and strategically, according to Scott Shinners, partner of Risk Advisory Services at RSM in Chicago. That will mean audit working increasingly not just with IT and IT security, but with procurement, legal, risk management, and the board.
“The audit committee has to see cloud security in the audit plan, and it also has to be present in the nature of the additional conversations you’re having with management,” he says. “It should come up not just after implementation, but before in strategy setting and so on.” Moreover, if internal audit discovers cloud instances in parts of the business that are not meant to have them, it can feed back to IT and risk management.
Internal audit also needs to work closely with the audit committee as cloud migration, almost inevitably, leads to abandoning a large percentage of the audit plan. “That is where the really good engagement with the audit committee comes through,” Shinners says. “How willing is the audit committee to support a trade-off to reduce assurance on moderate risk areas in order to have internal audit spend more of its resources on some of the cutting-edge stuff that is emerging?”
Performing third-party, independent assessments of cloud security and thinking about the underlying controls on data security, access management, breach response plans, and so on, is just the minimum internal audit can do, he says, because that only provides a snapshot in time in a fast-moving area. “The No. 1 way that internal audit can be successful is working with the second line of defense to build a culture around data protection that is pervasive enough to be successful in an environment that is so fast moving,” he says. “Making sure risk management gets feedback to know the culture is working is right up internal auditors’ alley.”
Skills and Expertise
CAEs may also need to reach outside of their organizations to secure audit staff with the right level of skills and qualifications, says Ruth Doreen Mutebe, head of Internal Audit at Umeme, Uganda’s largest electricity distributor. She recommends building partnerships with technology and information security institutes, such as ISACA, and universities to help identify good candidates.
“Cloud auditing involves rare skill that takes time to build,” she says, especially because it requires people with a good grasp of technical issues who can also communicate those concepts at a basic level to management. In addition to attracting and training staff, a CAE has to be able to retain them after that initial investment has been made.
Mutebe’s approach is to recruit a competent IT security auditor — even if a premium price has to be paid — who can effectively audit and guide management on aspects of cloud security. In addition, she encourages her technical staff members to pass on their knowledge to the entire audit team.
“That could include embedding cloud security procedures into what would have been non-IT audits to build capacity and where resources allow, attaching nontechnical internal auditors to support basic tests on cloud security audits,” she says. Where gaps remain, outsourcing and co-sourcing arrangements with clearly established service level agreements can be used. “Even there, CAEs should encourage the outsourced service provider to train the internal audit staff,” she says.
Keeping Up With Change
Cloud security is moving at a rapid pace, much like other technological changes in businesses today. For internal auditors, that means a focus on critical thinking, learning how to stay current in their industries, and developing a willingness to team up across the business and beyond to form effective alliances. While such an open approach to providing assurance may be new to many auditors working in more traditional environments, it is likely to be a crucial step to take if organizations are to deal with the growing complexity of their cloud initiatives.