28 September 2017

Cloud computing
Chartered Institute of Internal Auditors

Get an overview of cloud computing: the likely benefits, significant risks and the ways that internal
audit can provide assurance.

What is cloud computing

The growth of cloud computing
Different type of cloud
Systems architecture
Issues and risks
The role of internal audit

What is cloud computing?

Cloud computing is the provision of hardware and software services by a third party company
accessed over the internet. Exactly where the hardware and software is located and how it all works
doesn't matter to the user — it's just somewhere up in the nebulous 'cloud' that the internet
represents.

Most people use cloud computing but may not be aware of it. An internet search for example
retrieves results from hundreds, possibly thousands of computers around the world to answer a
question typed into a PC, laptop or mobile device. The same applies to web-based email, which
makes it possible to send, retrieve and store messages using a server operating in a remote part of
the world. It is now also possible to create and store documents, spreadsheets, videos and music
so that we can access them at any time using a web-based service.

All of these things also make cloud computing attractive to organisations because they can
concentrate on their primary purpose, whether it is caring for vulnerable people or manufacturing,
without maintaining complex computer systems. Cloud computing allows organisations to buy in
only the services they want, when they want them, cutting the upfront capital costs of computers
and peripherals. It is possible to add extra services or take them away at relatively short notice to

1
© Chartered Institute of Internal Auditors
 meet the organisation’s changing needs.

In brief cloud computing services provide:

• An on demand service, which is similar to buying utilities like electricity and telephone services
so organisations don’t have to purchase or lease equipment that may not be fully utilised.
• Scalability so organisations can scale capacity up and down within a relatively short space of
time without capital expenditure.
• Anywhere access to computing resources to allow employees to work in many locations if need
be.
• A managed service. There’s no need to buy licenses for word-processing software or keep them
up-to-date. Nor do you have to worry about backing up files. Cloud computing therefore enables
people to concentrate on whatever they are doing and leave the problem of providing dependable
computing to someone else.

The growth of cloud computing

Given these benefits it is no surprise that cloud computing has grown rapidly. A survey in 2014 by
the Cloud Industry Forum (CIF) based in the UK has shown that 78% of organisations have adopted
one or more cloud services representing growth of 61.5% since 2010 when their annual study first
began.

Furthermore, the study found that large enterprises showed the highest rates of cloud adoption
(80%), while small and medium businesses stood at 75% with the public sector at roughly 68%.
The drivers underline the main benefits of cloud computing as 'flexibility of cloud as a delivery model'
for the private sector (17%); while 'operational cost savings' (21%) was the main reason for cloud
adoption in the public sector.

Different types of cloud

Private cloud
The cloud infrastructure is operated solely for an individual organisation and managed by the
organisation or a third party; it can exist on or off the organisation’s premises.

Community cloud
The cloud infrastructure is shared by several organisations and supports a specific community that
has common interests (e.g. mission, industry collaboration, or compliance requirements). It might
be managed by the community organisations or a third party and could exist on or off the premises.

Public cloud
The cloud infrastructure is available to the general public or a large industry group and is owned by
an organisation selling cloud services.

Hybrid Cloud
The cloud infrastructure is composed of two or more clouds (private, community, or public) that
remain unique entities but are bound together by standardised or proprietary technology that
enables data and application portability.

2
© Chartered Institute of Internal Auditors
 Systems architecture

The most common models of systems architecture are Software as a Service (SaaS), Platform as a
Service (PaaS) and Infrastructure as a Service (IaaS).

Software as a service (SaaS)

Are applications organisations use to perform specific functions or processes e.g., email, customer
management systems, enterprise resource planning systems, and spreadsheets.

A more evolved offering as SaaS that is gaining popularity is known as Business Process as a
Service (BPaaS). With BPaaS entire business processes (e.g. payroll and supply-chain
management) are outsourced to a third-party service provider and supported by combination of
cloud service delivery solutions.

Platform as a service (PaaS)

Is development of environments for building and deploying applications. The Cloud Service Provider
provides its customers with proprietary tools that facilitate the creation of application systems and
programmes that operate on the CSP’s hosted infrastructure.

Infrastructure as a service (IaaS)

Entails provision of an entire virtual data centre of resources (e.g. network. Computing resources,
and storage resources).

More detail on cloud computing fundamentals and the different types of cloud and system
architecture can be found in the Information Systems Audit & Control Association (ISACA) guide
entitled IT Control Objectives for Cloud Computing. This guidance also contains information on
governance, building a business case for cloud computing, detailed analysis of risks and advice
upon obtaining assurance.

Issues and risks

Risks associated with cloud computing vary according to the type of cloud used and the systems
architecture but there are a number of generic issues to be aware of. The main concern about cloud
computing is the fear that it might be insecure with sensitive data being open to change, loss and
theft.

If this were to occur the reputation of the organisation would be severely damaged and may lead to
prosecution under relevant data protection legislation and fines from the sector regulator. What is
stored in the cloud and how it is going to be accessed and used are therefore important
considerations for all organisations. Wider discussion of security issues is set out in guidance on
cyber security.

A study, called Is Your Cloud Provider Keeping Secrets? with responses from 275 IT decision
makers and top-level executives throughout the US, UK and Singapore highlights the problem of
poor communication. Over 50% of cloud customers say their cloud provider does not understand
their company’s needs or cares about their success.

In reality this means organisations need sufficient internal resources with the right level of expertise

3
© Chartered Institute of Internal Auditors
 to recognise something when it goes wrong, assess how serious it is and have the ability do
something about it quickly. It is easy to assume under cloud computing that fewer computing
resources are required but it is important not to go too far particularly around monitoring and control.

In addition more time is needed to fully establish, monitor and manage service level agreements
(SLAs). Knowing who is responsible for what and who bears risk is essential to any contract, cloud
computing is no exception. For example the ‘keeping secrets survey’ highlights serious concerns
over transparency, particularly regarding service quality and costs. Respondents have said they
receive incomplete cloud metadata (up-to-date information about their data and information about
the performance of cloud operations), which is critical to optimising cloud costs, maintaining
performance and demonstrating compliance.

Other issues within the SLA to consider are performance levels, the regularity of back-ups and the
arrangements for business continuity all of which relate to service availability. The lesson is that
such issues should be understood and agreed before a contract is signed.

Finally, there is often an assumption with cloud computing that the organisation will not only work in
a more efficient and effective way it will also save money. This is not always the case and there is a
risk that overall costs may increase due to add-ons within the SLA and some costs remaining
inside the organisation. For instance it may be necessary to create a new or refine an existing
process internally to enable cloud computing to work.

This might include the ability for the organisation’s existing computer systems to interact with one
another and those operated by the provider. The adoption of PaaS and IaaS methods that offer
mobile applications and social media platforms means that additional data and processes are also
moving outside of the organisation’s firewall and into the cloud. This means managers need to think
about how their applications will talk to each other and devise effective strategies for integrating both
within the cloud and between the cloud and the enterprise.

Research by Forbes magazine in 2013 shows how organisations view the relative importance of
these issues highlighted in the table below and described as the key cloud pain points.

4
© Chartered Institute of Internal Auditors
 Note: Due to multiple responses per interview the totals may exceed 100%

These cloud related pain points along with the issues and risks outlined draw attention to some
basic questions that management need to ask:

1. How do we know what is in the cloud?

5
© Chartered Institute of Internal Auditors
 2. Who will have access to our data?
3. What does the access permit users to do?
4. How secure will our data be, what security measures are being applied?
5. How will we know if a security breach occurs and how it will be contained?
6. How do we monitor performance of cloud services?
7. Who has responsibility to put things right and how long will it take?
8. How do we ensure business continuity if something goes wrong?
9. Can we retrieve our data and return to in-house systems if the provider goes out of business?

The list of questions, and there may be others to add, could well be asked by internal auditors as a
starting point for looking at how well risks are identified, assessed and managed in relation to cloud
computing.

The role of internal audit

The data governance and compliance issues faced by organisations are the same whether
operating in a cloud environment or not and the magnitude of the security task keeps increasing as
data volumes keep expanding (see our guidance on data analytics and big data).

When organisations are considering moving business data and systems into the cloud, a sound
data governance platform must be in place to avoid costly data protection mistakes. Internal audit
are ideally positioned to review how well the organisation has established sound IT governance and
IT security foundations, including defined organisational structures, documented policies, clarity of
roles and responsibilities, performance and monitoring arrangements. While this sounds like a
substantial exercise for internal audit it will easier to perform by adopting a top down approach as
recommended in GTAG 17 Auditing IT Governance and GTAG 15 Information Security Governance.
These documents explain the key governance risks and provide a range of questions and tools help
to internal audit perform a high level review of governance arrangements.

Furthermore, as risk management is considered the basis of good governance internal audit should
examine how well management has identified and assessed risks, particularly those related to
cloud computing, and express a view on whether or not this has been done effectively. This should
cover how emerging risks are regularly reviewed and reported through to senior executives and the
audit committee. The cloud provider should also have a mature risk management process in place
which is an important part of choosing a suitable partner. This means the organisation needs clear
visibility of the provider’s risk appetite and risk limits to gauge how much risk the provider is
prepared to tolerate.

Internal auditors do not need to be cloud computing experts to review governance and risk
management arrangements but should have sufficient knowledge of the organisation’s approach to
risk management so they can appreciate whether the process has been applied effectively. This
includes examining whether residual risks are actually being contained within defined risk appetites
and tolerances. However, reviewing the validity of management responses and auditing the
effectiveness of these responses are likely to warrant specialist knowledge and internal audit will
need to consider if it has such expertise, and if not, how it might be acquired including co-sourcing
and outsourcing arrangements.

Ideally, the migration to cloud computing should be seen as an extension of the operational
perimeter of the business and fit well with the overall strategic objectives of the organisation. It’s not
merely buying cloud services, it’s about choosing a reliable partner and that choice should be

6
© Chartered Institute of Internal Auditors
 based on a thorough business case that involves due diligence. This is necessary as the legal
responsibility for safeguarding personal data lies with the organisation – the responsibility does not
transfer to the service provider.

Internal audit can play a valuable role in this process by independently looking at and validating how
the business case for cloud computing has been prepared and the way the organisation undertakes
due diligence as part of the project. There are two possibilities; looking at the way due diligence is
structured and then how it is applied along with the reporting of results. Performing a due diligence
exercise is a subjective exercise so the precise nature of how this is best done is open to
interpretation but internal audit can verify that a number of basic questions have been asked along
with the ones we listed earlier:

1. Do they serve similar clients? (Can the offer testimonials and references?)
2. Do they have a good track record? (Any history of security problems and fines)
3. Are they financially stable? (Availability of financial statements and bank references)
4. How will they provide support? (Where, when and how with service level agreements)
5. Who will be our contact? (generic service desk or dedicated account manager)
6. Do they have adequate resilience and contingency arrangements?
7. Have they performed their own risk assessment? (Can we see the risk register?)
8. Will they offer discounts for ‘bundling’ more services? (Telephony, mobile, desktop)
9. What is the migration process? (How much effort is required on our part?)
10. What is the default data storage/usage volume? (Will this work for us?)
11. Is there a cultural fit? (Can we work with these people?)
12. Do they have quality and IT certifications? (Such as COBIT, ISO9001 and ISO27001)
13. Do they have internal audit? (Will they provide reports?)
14. Will we have a right to conduct our own audits? (including penetration tests)

The logical progression from this is for internal audit to be involved in reviewing the service level
agreement between the organisation and the cloud provider, particularly in relation to controls,
performance monitoring and the availability of audit reports. The Cloud Standards Customer Council
has produced a practical guide to cloud service level agreements that sets out 10 important steps
to consider. The European Commission has also produced SLA standardisation guidelines.

Providing assurance upon the management of risks and gathering evidence through audit testing is
a difficult thing to do when the organisation is relying on a service provider with multiple clients. In
response it is becoming increasingly common for cloud service providers to organise regular audit
reviews from an independent auditor(s) and to share the report across the client base. This provides
the organisation and its internal audit function with an opportunity to comment on the scope and the
focus of the assurance, which may include:

• Specific criteria, such as reliability, effectiveness, efficiency, availability and confidentiality

• Subject matter, such as technical standards, guidance and practices.
• Professional working standards, guidelines and practices.

Assurance Standards are continually evolving for such audit reviews but the most valued are
currently recognised as, ISO 27001 (Information security management certification), ISAE 3402 (the
standards an auditor must employ in order to assess the contracted internal controls of a service
organisation) and AICPA SOC 1 reports (American Institute of CPA version of ISAE 3402). In
addition ISACA provides a range of cloud computing guidance aimed at directors, security
professional and auditors.

7
© Chartered Institute of Internal Auditors
 While all these forms of assurance are useful there is a growing need for assurance to become
more real-time, continuous and process-oriented. Internal audit therefore has an opportunity to work
with the management of the organisation to establish continuous monitoring arrangements in
relation to cloud operations. More advice about continuous monitoring and continuous auditing can
be found in GTAG 3. Where this is applied internal audit’s role becomes one of providing assurance
monitoring and controls are working and that management are taking appropriate and effective
action when risks and issues emerge.

8
© Chartered Institute of Internal Auditors