Why is it important to have an inventory of all cloud solutions in use?
Furr An inventory of all cloud solutions in use within the organization is a critical foundational step in establishing a cloud risk and governance program. The inventory can be a useful tool for understanding the aggregate level of risk to the organization by identifying the data and the number and types of cloud computing technologies being used. The inventory also can be used to manage regular reviews of cloud computing solutions to reduce risk and ensure ongoing compliance.
Lovell Having a complete inventory is the first step in managing the cloud control environment. Armed with this information, organizations can better understand the risks associated with their cloud services; drive clarity regarding roles and responsibilities between vendor and customer; and validate that controls are in place for security, reliability, agility, and compliance of their clouds.
How often should internal audit evaluate solutions?
Lovell Audit frequency should be based on risk. In a mature organization, internal audit should focus on major cloud projects and migrations, with governance-type audits occurring periodically after the first annual cycle. For an organization just embracing the cloud, internal audit’s governance-related reviews should occur more often. For organizations with multiple significant applications in the cloud, I would expect some aspect of cloud is covered every year, via project audits, application audits, integrated audits of functions that use cloud services, infrastructure audits, and those focused on cybersecurity. Importantly, the cloud should be audited where it supports critical business activities that also are under audit.
Furr Cloud solutions evolve quickly, and while organizations typically perform due diligence when choosing a provider, the evaluation often does not address how the platform and individual services develop and are monitored and managed over time. Organizations should perform a cloud computing assessment before completing an audit. Performing an assessment first enables internal audit to build relationships and educate stakeholders on the policies, procedures, and controls necessary to mitigate cloud computing risks. Audit frequency depends on the maturity level, complexity, and use of cloud solutions. As the maturity level of the cloud risk and governance program increases, evaluation frequency can be reduced but should be annual until then.
How can internal audit gain assurance around cloud solutions?
Furr The first step is to understand the maturity level of the organization’s cloud risk and governance model. Next is understanding the current aggregate cloud computing environment. The final step is understanding the plan to expand cloud-computing solutions. By understanding these three components, internal audit can better identify and help manage and monitor the cloud environment. It should ensure the organization is building its cloud strategy with compliance and risk in mind. The organization should follow a holistic, robust cloud standard.
Lovell First, internal audit should test key controls related to the procurement and deployment of new cloud services. Validate that decisions to move a service into the cloud are based on an established architecture and information security standards to which all parties have committed. Also, validate that standard terms and conditions, as well as service-level agreements, are in line with corporate policy. Second, internal audit should audit the vendor management program. Vendor monitoring should be based on risk and could include review of third-party trust reports, control questionnaires, and on-site visits. Third, internal audit should test controls to identify and limit unauthorized cloud services. Finally, internal audit should get involved in cloud projects and validate controls are in place to ensure the security, compliance, agility, and reliability of the organization’s clouds.
What are some tips for determining whether the audit function is capable of assessing cloud solutions?
Lovell The collective team must understand the technology as well as the business. Look at the current IT audit plan. If the last three years have seen significant coverage of IT infrastructure, cybersecurity, and IT controls that touch application life-cycle management processes, you likely have in-house staff who can learn and cover basic cloud governance, security, and operations-related cloud audits for medium-risk cloud services. However, for any cloud services that support critical business processes or house sensitive data or regulatory compliance-related services or data, supplement audits with subject-matter specialists. Conversely, if the audit plan has historically been focused on IT general controls or application controls, seek outside assistance in general for cloud-related engagements.
Furr At my company, we frequently work in partnership with internal audit resources and other key stakeholders to “teach them to fish.” Most internal audit teams have little to no cloud computing experience in identifying and managing cloud risk and compliance challenges. This model allows experienced advisors to train their staffs during initial assessments/audits, so they can conduct future cloud computing assessments and audits.
A Focus on Controls
There are several general policies and controls organizations can implement in regard to cloud solutions. At a minimum, RSM’s Carrie Furr says, cloud computing requires policies, procedures, and controls around high-risk cloud controls domains, as defined by the Cloud Security Alliance Cloud Controls Matrix:
- Data security and information life-cycle management.
- Encryption and key management.
- Identity and virtualization.
- Interoperability and portability.
- Supply chain management, transparency, and accountability.
In addition, PwC’s Eric Lovell offers four foundational areas of focus:
- Controls related to strategy and governance. Organizations must determine when and how they move to the cloud, and should develop an architectural reference model to help ensure decisions are consistent across the enterprise, meet business requirements, provide a return on investment, and are within the company’s risk tolerance.
- Solution development. Whether it’s an in-house development team using a DevOps approach to deploy and manage applications in cloud infrastructure, or taking advantage of the many enterprise class applications provided as a service, specialists should be involved throughout to make sure adequate controls are in place for the production environment.
- Training and awareness. Both end users and technologists need to be trained on the cloud and how to leverage those services to the advantage of the organization while managing risk.
- Controls related to inventory management. Organizations need an accurate inventory of all cloud services along with sufficient information about each to make informed risk-based decisions. And, organizations need to control the use of unauthorized cloud services.