Thank You!

You are attempting to access subscriber-restricted content.

Are You Ready to Experience Everything Internal Auditor (Ia) Has to Offer?

The Cloud Era Is Here; Boards, Plan Accordingly

A new COSO report can help boards navigate oversight of moving to the cloud.​

Comments Views

​Many a business has been accused of having its head in the clouds, usually to disastrous effect. So let’s talk about how the board can assure that if clouds are part of your corporate strategy, you can implement that idea wisely.

What I mean, of course, is the adoption of cloud computing: relying on other firms to provide technology and business services to yours over the internet. Cloud computing is a fantastic way to save money, with low installation costs and agility to respond to changing business conditions. 

Unfortunately, cloud computing also is fraught with risk — especially around privacy, compliance, cybersecurity, and business continuity. So as organizations embrace “the cloud,” boards should consider the new challenges it brings. 

“When an organization adopts cloud computing, it’s shifting one or more IT responsibilities to an outside party,” says Patty Miller, a former global chairman of The IIA who these days serves as The Institute’s representative on The Committee of Sponsoring Organizations of the Treadway Commission (COSO). That shifting of IT responsibilities can be advantageous, because cloud-based vendors are often better at delivering a service (say, data storage or sales management) than the organization, itself. But, Miller stresses, “delegating those responsibilities only moves where they are performed. It does not remove the risk.” 

To help boards navigate that more complex oversight environment, COSO recently published a 44-page guidance document, Enterprise Risk Management for Cloud Computing. The goal is to help boards (and internal audit professionals) understand how to apply enterprise risk management (ERM) principles to cloud computing’s unique challenges.

Boards also have good reason to put oversight of cloud computing near the top of their agenda, because the adoption of cloud computing is growing so fast. Research firm IDC estimates that the cloud services market grew 24.1% in 2020 (largely thanks to the COVID-19 pandemic forcing businesses to adopt remote working) to a whopping $312.4 billion. That double-digit growth isn’t expected to recede any time soon.

Moreover, the complexity of the cloud environment is growing. An organization might use one cloud provider for “IT infrastructure as a service,” plus other cloud-based providers to run actual business processes — finance, human resources, sales, cybersecurity, and more — atop of that infrastructure as a service. Businesses also are likely to encounter cloud computing challenges earlier in their life cycle, because cloud-based providers are an attractive strategy for startup businesses eager to conquer the world.

In that case, governance isn’t as much about how to manage a physical IT infrastructure to drive business operations. It’s about managing relationships with other vendors to drive business operations, all coated with a thick layer of regulatory compliance risks, to boot.

The Big Risk: Knowing Who Does What

Perhaps the single biggest risk for migrating to the cloud is understanding who is in charge of which tasks, both during and after migrating to the cloud. That is, which systems are going onto the cloud, and why? What new risks does that create, and who is responsible for controlling those risks? 

If a board doesn’t understand those things, it can’t fulfill its job. The whole board can’t offer advice and insight on strategy; the audit committee can’t evaluate the organization’s systems of internal control, compliance, and risk management.

“Just like getting a copy of your annual free credit report, the board should be getting at least an annual debriefing by the chief information security officer (CISO) or chief information officer (CIO) on key IT projects like cloud adoption,” says David Terry, head of internal audit at Portland State University in Oregon. “That lets the board ask questions of management on how these projects impact business operations and strategic goals of the organization.”

Miller puts the matter a bit more frankly: “One could argue that the most common mistake an organization makes in transitioning to the cloud is misconceiving which party owns the controls for a given risk.”

A related challenge, then, is for the board to consider whether management has the right structures in place to address cybersecurity risk — or, more simply, whether roles and responsibilities have been structured correctly.

The COSO guidance calls this point “Establishing Operating Structures,” one of the governance and culture principles in the ERM framework. For example, should a large organization designate a cloud steering committee of in-house executives to assure that all risks are addressed as business processes move to the cloud? Even more fundamental, is the CISO the correct person to oversee cloud risks, or would the company be better served by some “chief vendor risk officer” whose purview includes cybersecurity? 

Every business has to answer such questions for itself. The board needs to assure that those questions get asked, and then answered to its satisfaction.

Rethink Reporting

Moving into the cloud also transforms the reporting that boards need to get from management. After all, the cloud introduces a new business objective: Work effectively with your cloud-based vendors and partners. So management needs to provide the board with a variety of new metrics to talk about how those vendor relationships are working.

Viewed in terms of The IIA’s Three Lines Model, first-line operating units might talk about efficiency gains in processing sales or changes in product strategy made possible by migrating to the cloud. (“Our fixed infrastructure costs are lower, so we’re hiring more salespeople who work remotely and sell by product expertise rather than geography.”) Second-line risk oversight functions might talk about times to resolve security glitches or vendors’ ability to adhere to service-level agreements. 

Good reporting, Miller says, will come to the board from different places and in different formats — but reporting on the cloud is crucial, she adds. “The board of directors should be routinely updated on the cloud strategy, cloud computing performance, and the impact it is having on business objectives.”

Where does that leave internal audit, the third line? With plenty to do, rest assured.

In the practical sense, internal audit can test the effectiveness of the company’s risk management procedures for cloud computing — say, the company’s ability to prevent employees from using unauthorized vendors, or to secure an appropriate amount of insurance for disruptions that might come from a vendor’s failures. Internal audit can bring unresolved issues to the board’s attention. 

More broadly, internal audit can help the board (and management) see bigger strategic risks and opportunities that moving to the cloud provides. Terry, for example, helped Portland State leaders understand the opportunities for physical campus space suddenly made available by faculty, students, and staff moving to a remote work model due to COVID-19.

And moving into the cloud brings many more risks and opportunities than that. The question is whether boards can marshal the right resources to help their enterprise navigate that new world — or just wander in the mist. 

Matt Kelly
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author



Matt KellyMatt Kelly<p>​Matt Kelly is editor and CEO of, an independent blog about audit, compliance, and risk management issues, based in Boston. ​</p>


Comment on this article

comments powered by Disqus
  • CIA-December-2021-Premium-1
  • AuditBoard-December-2021-Premium-2
  • 2022-GAM-December-2021-Premium-3



Stopwatch Auditing Auditing
Thanks, We Already Know That, We Already Know That
Hidden Goals Goals
Building a Better Auditor: Which Way Should I Go? a Better Auditor: Which Way Should I Go?