The broad and rapid adoption of cloud computing by all sorts of businesses and organizations is quickly reshaping the way many key internal functions are expected to operate in — and adapt to — the new paradigm. That includes procurement, IT, risk management, governance, compliance, and audit, to name but a few. Departments that resist or drag their heels risk losing whatever autonomy they may possess. They may even risk becoming irrelevant.
Public cloud adoption is all about trust. First, you trust that whoever is committing your organization to the public cloud is fully informed of the costs, risks, proper governance, and the cloud’s potential pitfalls. Second, you trust your cloud service provider (as well as all its providers) to deliver against its promises, which you hope are enshrined in a well-constructed and balanced contract. If there are any fractures in the approach to risk, audit, and governance in the selection and implementation of your enterprise cloud systems, you, as CFO, need to be aware of them and take appropriate action. As any aircraft engineer will tell you, small cracks propagate swiftly and explosively when subjected to pressure. Experienced engineers know where to look. Do you?
Here’s one place: the eighth annual KPMG 2012 Audit Institute Report identified “IT Risk and Emerging Technologies” as the second-highest concern for audit committees, behind “Governance Processes, Controls and Risk Management.” (“IT Risk” was up from sixth place in 2011.) “Information Privacy/Security and Cyber-security” came in fourth. Interestingly, “Legal/Regulatory Compliance” fell to seventh place in 2012 from third in 2011. (These rankings are based on 140 audit-committee members who attended a KPMG conference this year.)
In and of itself, this should be a wake-up call for CFOs and company boards. If auditors sees “IT Risk and Emerging Technologies” as a significant concern, it’s important to ask why. Has audit been left behind as senior line-of-business executives launch their organization into the cloud, following the lure of lowering their costs, collapsing IT project delivery time, and driving innovation? Are those attractions trumping considerations of downside risk? Based on the KPMG report, it seems like that to me.
I’m sure that when you fly, you expect the crew has completed its preflight checklist before you take off. This is a form of auditing; in this case, it’s an audit of the tasks performed by the maintenance, flight, and ground crews. In the cloud, many enterprise aircraft are already airborne with a full complement of passengers; however, the preflight checklist may well have been given short shrift.
As a CFO with accountabilities in areas of enterprise audit and compliance, what are your strategies to make sure your business is flying safely? Here are seven critical points on your cloud audit checklist:
- Make sure all executives understand what cloud is and what it’s not. There are still many interpretations of cloud in the commercial haze of compelling offers, and some vendors offer pay-as-you-go models of what are really conventional IT offerings that appear cloudlike. Conversely, simply implementing Salesforce or Gmail does not necessarily make your organization cloud-enabled.
Ensuring that your key decision makers are well informed and appropriately advised about the nature of cloud computing is your organization’s best way to maximize its opportunities and realize value within known cost, risk, and compliance limitations. This involves much more than attending a vendor lunch. This is where evidence-based decision making should be top of mind.
- Understand current developments in the cloud audit landscape. Develop a robust listening strategy to keep abreast of the audit, regulatory, and compliance landscape as it relates to the cloud. Vendor-independent organizations such as the Cloud Security Alliance and the National Institute of Standards and Technology are excellent sources.
- Map your organization’s compliance baseline to your cloud. Identify the gaps between your current regulatory, legislative, and compliance standards and your cloud ecosystem. Once the gaps have been noted, you’re in a position to do something about them.
Know what you can and can’t do with data that is subject to specific legislation, especially with regard to privacy. This is particularly relevant if you are a multinational and are expecting your overseas operations to use the same U.S.-based or U.S.-owned foreign resident cloud provider. The revisions under way with the European Union Data Protection may or may not be a showstopper for you.
Well-known examples of compliance standards include Section 404 of the Sarbanes-Oxley Act and SAS70 (and its successor, SSAE 16, as well as ISAE 3402 Type II audits, both of which should be well known to CFOs).
Others personal data-protection guidelines include ISO/IEC WD TS 27017 (guidelines on information security controls for the use of cloud computing services, which is under development).
There is also a range of emerging standards that are specific to the operation and good governance of your cloud environment, such as ISO/IEC DIS 17826, which deals with the Cloud Data Management Interface (CDMI). Make sure that you (or someone you trust) are aware of the relevance of these standards to your organization.
- Pin the tail on the donkey. Confirm precisely and publicly who is, and just as importantly who is not, authorized to commit your organization to the cloud, while ensuring that accountability for risk, cost, and governance is appropriately and clearly assigned. The viral deployment of cloud solutions without appropriate visibility and authority may be a great opportunity for vendors, and it may fix short-term pain points, but it is probably not in your organization’s long-term interests, and it certainly makes auditing a game of hide-and-seek.
- Seek out and expose fundamental internal disagreements on your approach to the cloud. Auditors will take note of the divergence and misalignments of views held by staff and management associated with your cloud implementation. Inconsistency should be a key trigger for a deeper investigation that could open the vulnerabilities of your cloud implementation to further scrutiny. Ensuring adequate prepurchase due diligence is, of course, one way of avoiding this.
- Review and update your information-security policies. Policies that set standards for information security should align with what is actually happening in your business. If it’s been a while since those policies have been reviewed and updated to take into consideration the unique risks associated with cloud computing, do so sooner rather than later.
- Know what you can and cannot audit in the cloud. Major global cloud service providers do not permit client-initiated audits. Period. You have to rely on their audit processes and statements of compliance. If you have the opportunity to engage with smaller, local providers, they may be willing to submit to your own auditing. Remember: he cloud is all about trust.
Trust, that is, but verify. You should be able to satisfy yourself, your regulators, clients, shareholders, and the other stakeholders in your business that you are aware of how to select, implement, orchestrate, and manage your cloud ecosystem, mitigating avoidable, adverse, long-term surprises.
Right now, the commercial world is quite uncertain. One way to lessen the uncertainty introduced (and added) by your cloud solution is an effective audit. Or would you just prefer to trust your cloud? If it were my money, I know which path I’d take.
Rob Livingstone, a former CIO, is the author of the book Navigating Through the Cloud. He runs an IT advisory practice and is also a Fellow at the University of Technology Sydney (UTS), Australia, where he teaches in the areas of strategy and innovation in UTS’s flagship MBITM program. Visit Rob at www.rob-livingstone.com or e-mail him at [email protected].