Does internal audit only see the dark, rainy clouds? Can you see whether the silver lining, the potential for cloud computing, is worth the risk?
My personal view is that while caution should always be exercised, auditors should work with management to determine how to move into the cloud to seize its opportunities, while taking on an acceptable level of risk given the potential for reward.
Auditors should not fear risk. If you eliminate risk, you will also eliminate profit.
The key is to make decisions based on a knowledge of both the potential for adverse impacts and the potential for reward.
SC Magazine had a good set of questions in a November 2010 article:
Am I using a trusted vendor?
Have I considered the value and risk to the information that I am outsourcing to the cloud provider?
What business continuity and disaster recovery measures are in place in the cloud infrastructure? Does the cloud provider have a backup in place?
Have I considered the potential implication of employees wanting to sabotage a successful cloud migration strategy?
Have I considered how knowledge of the business process would be retained and versioned, should I wish to switch cloud providers at a future date?
Do I have a detailed list of security controls based on security, operational and business risks to determine how the cloud vendor complies with them?
Does your cloud provider meet the regulatory or compliance requirements needed by your organization?
How do I audit or evaluate security controls placed on the cloud-based infrastructure?
CIO-Asia had a similar piece this month, but only asked five questions, while CIO-UK needed eight. (But I still prefer the
SC Magazine list).
The questions for auditors are:
Do you know what your organization is doing now with cloud? What is running where?
What are your organization’s plans and strategies for cloud?
Are you involved, helping them navigate the risks and rewards? If not, why not?
Are you being reasonable with respect to taking on risk, relative to the potential rewards?
Are you an enabler, a navigator, or a roadblock to success?