The broad and rapid adoption of cloud computing by all sorts of businesses and organizations is quickly reshaping the way many key internal functions are expected to operate in — and adapt to — the new paradigm. That includes procurement, IT, risk management, governance, compliance, and audit, to name but a few. Departments that resist or drag their heels risk losing whatever autonomy they may possess. They may even risk becoming irrelevant.
Public cloud adoption is all about trust. First, you trust that whoever is committing your organization to the public cloud is fully informed of the costs, risks, proper governance, and the cloud’s potential pitfalls. Second, you trust your cloud service provider (as well as all its providers) to deliver against its promises, which you hope are enshrined in a well-constructed and balanced contract. If there are any fractures in the approach to risk, audit, and governance in the selection and implementation of your enterprise cloud systems, you, as CFO, need to be aware of them and take appropriate action. As any aircraft engineer will tell you, small cracks propagate swiftly and explosively when subjected to pressure. Experienced engineers know where to look. Do you?
Here’s one place: the eighth annual KPMG 2012 Audit Institute Report identified “IT Risk and Emerging Technologies” as the second-highest concern for audit committees, behind “Governance Processes, Controls and Risk Management.” (“IT Risk” was up from sixth place in 2011.) “Information Privacy/Security and Cyber-security” came in fourth. Interestingly, “Legal/Regulatory Compliance” fell to seventh place in 2012 from third in 2011. (These rankings are based on 140 audit-committee members who attended a KPMG conference this year.)
In and of itself, this should be a wake-up call for CFOs and company boards. If auditors sees “IT Risk and Emerging Technologies” as a significant concern, it’s important to ask why. Has audit been left behind as senior line-of-business executives launch their organization into the cloud, following the lure of lowering their costs, collapsing IT project delivery time, and driving innovation? Are those attractions trumping considerations of downside risk? Based on the KPMG report, it seems like that to me.
I’m sure that when you fly, you expect the crew has completed its preflight checklist before you take off. This is a form of auditing; in this case, it’s an audit of the tasks performed by the maintenance, flight, and ground crews. In the cloud, many enterprise aircraft are already airborne with a full complement of passengers; however, the preflight checklist may well have been given short shrift.
As a CFO with accountabilities in areas of enterprise audit and compliance, what are your strategies to make sure your business is flying safely? Here are seven critical points on your cloud audit checklist:
Ensuring that your key decision makers are well informed and appropriately advised about the nature of cloud computing is your organization’s best way to maximize its opportunities and realize value within known cost, risk, and compliance limitations. This involves much more than attending a vendor lunch. This is where evidence-based decision making should be top of mind.
Know what you can and can’t do with data that is subject to specific legislation, especially with regard to privacy. This is particularly relevant if you are a multinational and are expecting your overseas operations to use the same U.S.-based or U.S.-owned foreign resident cloud provider. The revisions under way with the European Union Data Protection may or may not be a showstopper for you.
Well-known examples of compliance standards include Section 404 of the Sarbanes-Oxley Act and SAS70 (and its successor, SSAE 16, as well as ISAE 3402 Type II audits, both of which should be well known to CFOs).
Others personal data-protection guidelines include ISO/IEC WD TS 27017 (guidelines on information security controls for the use of cloud computing services, which is under development).
There is also a range of emerging standards that are specific to the operation and good governance of your cloud environment, such as ISO/IEC DIS 17826, which deals with the Cloud Data Management Interface (CDMI). Make sure that you (or someone you trust) are aware of the relevance of these standards to your organization.
Trust, that is, but verify. You should be able to satisfy yourself, your regulators, clients, shareholders, and the other stakeholders in your business that you are aware of how to select, implement, orchestrate, and manage your cloud ecosystem, mitigating avoidable, adverse, long-term surprises.
Right now, the commercial world is quite uncertain. One way to lessen the uncertainty introduced (and added) by your cloud solution is an effective audit. Or would you just prefer to trust your cloud? If it were my money, I know which path I’d take.
Rob Livingstone, a former CIO, is the author of the book Navigating Through the Cloud. He runs an IT advisory practice and is also a Fellow at the University of Technology Sydney (UTS), Australia, where he teaches in the areas of strategy and innovation in UTS’s flagship MBITM program. Visit Rob at www.rob-livingstone.com or e-mail him at [email protected].