As organizations begin to transition services to the cloud, there is a need for ongoing assurances from both cloud customers and cloud service providers that controls are put in place and are operating as intended. The internal audit function can also play a “trusted” advisor role and proactively be involved by working with IT and the business in identifying and addressing the risk associated with the various cloud services and deployment models.
An organization’s internal audit can provide visibility into:
- The cloud program’s effectiveness
- Assurance to the board and risk management team on the organization’s cloud risk exposure
- If the business practices are helping the business manage the risk and meet its strategic objectives
External audits are typically provided by an external company that has an association of registered auditors. External audits typically:
- Provide assurance that legal, regulatory, or contractual requirements are being met
- Occur annually unless otherwise specified
- Provide assurance to parties consuming services that the provider has and is maintaining required controls
In line with financial, compliance, regulatory, and other risk-related audits, the requirement for scoping and ensuring the appropriate focus and emphasis on components most relevant to cloud computing (and associated outsourcing) should include the following phases:
Ensure the audit has a clear objective and well-defined scope.
- Document list of current services/resources utilized from cloud service provider(s)
- Define key components of services (storage, utilization, processing, etc.)
- Define cloud services to be audited (IaaS, PaaS, SaaS)
- Define geographic locations permitted/required
- Define locations for audits to be undertaken
- Define key stages to audit (information gathering, workshops, gap analysis, verification evidence, etc.)
- Document key points of contact within cloud service provider and internal to organization
- Define escalation and communication points
- Define criteria and metrics by which the cloud service provider will be assessed
- Ensure criteria is consistent with the SLA and contract
- Factor in “busy periods” or organizational periods (financial year end, launches, new services, etc.)
- Ensure findings captured in previous reports or stated by the cloud service provider are actioned/verified
- Ensure previous nonconformities/high-risk items are reassessed/verified as part of the audit process
- Ensure any internal operational or business changes have been captured as part of the audit plan (reporting changes, governance, etc.)
- Agree on final reporting dates (conscious of business operations and operational availability)
- Ensure findings are captured and communicated back to relevant business stakeholders/executives
- Confirm report circulation/target audience
- Document risk management/risk treatment processes to be utilized as part of any remediation plans
- Agree on an auditable process for remediation actions (ensuring traceability and accountability)