Top considerations in Internal audit in the Cloud Computing environment

Top considerations in Internal audit in the Cloud Computing environment

Cloud computing is the provision of hardware and software services by a third party company accessed over the internet. A survey in 2014 by the Cloud Industry Forum (CIF) based in the UK has shown that 78% of organizations have adopted one or more cloud services representing growth of 61.5% since 2010 when their annual study first began. Furthermore, the study found that large enterprises showed the highest rates of cloud adoption (80%), while small and medium businesses stood at 75% with the public sector at roughly 68%.

Cloud computing technology is deployed in four general types, based on the level of internal or external ownership and technical architectures:

Public Cloud: services from vendors that can be accessed across the Internet or a private network

Private Cloud: Built, managed and used internally by an enterprise

Hybrid Cloud: Mix of vendor Cloud services, internal Cloud computing architectures, and classic IT infrastructure

Community Cloud: Infrastructure is shared by several organizations and supports a specific community that has shared concerns

Cloud computing services are grouped into specific categories: Infrastructure, Platform and Software services.

Internal audit consideration will be required for the following in Cloud Computing:

Data Security : Ask the Cloud Service Provider (CSP) whether it receives a Service Organization Controls (SOC) 2 report, which is a third-party attestation report regarding the CSP’s controls relating to security, availability, processing integrity, confidentiality or privacy.  Verify that the scope of the SOC 2 report adequately covers the cloud services provided to your company, data security controls and that the auditor’s opinion is unqualified

Regulatory Compliance: Determine where the company’s data will be stored and the form of the data (e.g., production, backup, cache)

Availability: Verify that your company’s contract with the CSP includes provisions relating to system availability

Business Continuity and Disaster Recovery Planning: Verify that your company’s business continuity and disaster recovery plans are updated to incorporate the risks relating to the outsourcing of IT services to the CSP and that there are adequate plans in place to mitigate these risks

Return on Investment: Understand and review your company’s business case for moving to the cloud.  Verify that your company has clearly documented the cost and benefits and that it is tracking these to verify that they are realized.

Audit International are specialists in the recruitment of Internal Auditors and Corporate Governance Professionals across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us on 0041 4350 830 95.

839 total views, 1 today