8/17/2019 Navigating the Risks of Cloud Computing
1/2
With small steps, or in wholesale shifts,companies are adopting
cloud computing.The economics are too compelling toignore:
standardized IT processes atreduced costs can free up IT resources
tofocus on differentiating the business.
Yet risk is elevated because a broadcloud implementation
requires changesin processes, people, and systems.
CAEs have a signicant role to play
Chief audit executives should proactivelyengage the C-suite and
business leadersto understand what data and applicationsmay be
moved to the cloud. They thenshould investigate specic risks
andcontrols for near-term cloud adoption.
As critical IT functions move to thecloud, new risks will
arise. Internal audit(IA) should re-evaluate its annual
riskassessment, audit scope, and resources
to support its company’s cloud strategy.
A proactive lead on risk management
CAEs should partner with business leadersto perform “preventive
auditing” as theircompany executes its cloud adoption plan.
By identifying the controls and keyperformance indicators needed
to managerisks and provider performance, CAEscan take an early lead
in cloud strategyplanning and maximize the value of cloudcomputing
for their organizations.
Important roles for Internal Audit may include:
1. Manage the risks of internal change.Roles and
responsibilities change asa cloud model is adopted becauseexisting
processes and controls becomeobsolete. IA’s knowledge of business
risks,processes, and controls, combined witha proactive assessment
of post-cloudprocesses, will enable early identicationof areas of
change and risks.
2. Manage risks of external processes andsystems on the
cloud. Responsibilityfor managing risks—includinglegal,
regulatory, or reputational—remains with the company, not thecloud
provider. Security is top ofmind, and IA should be prepared
torecommend oversight requirementsgoverning the cloud provider
forsecurity and other prevalent risks.
3. Provide strong governance over cloudimplementation. IA
can providereal-time assurance and insight onattainment of the
objectives.
New risks to consider
The cloud model requires that IAunderstand the technology and
processesunderlying cloud computing, as well asthe complex
processes used to assessprovider performance. IA shouldunderstand
its company’s contractual,
Internal audit An accompanying piece to
10Minutes
Navigating the risks ofcloud computing
Highlights
Cloud computing elevates risk as tried andtrue internal IT
privacy and data controls andcompliance processes are replaced.
Yet a cloud strategy vetted and supportedby internal audit will
help companies takeadvantage of the compelling cost benefitswhile
managing new risks.
Internal audit can provide business insightby identifying and
communicating internalchanges, external dependencies, andoverall
progress on objectives. Assessing
the impact of the cloud starts withunderstanding the cloud
model—private,public, or hybrid—that your company plansto
adopt.
May 2011
8/17/2019 Navigating the Risks of Cloud Computing
2/2
Consider how thecloud can impact
your business:• How will your
data be protected?
• What changes willthe cloud bring to IT?
• How will cloudcomputing impactnew revenue
recognition?
• How will cloud affect your tax deductions?
• What control assurances does your cloud provider
offer?
operational, and regulatory requirements thatmight be affected.
IA should proactively engagetechnology, security, and regulatory
specialiststo help assess the impact of cloud adoption.
Success through governance
A broad adoption of cloud computing can
change virtually every business function, and IA canplay an
essential role through governance. IAshould develop an assessment
strategy thatdenes the “as is” and “to be” processes for
assessing service level agreements, monitor theimplementation to
identify interdependencies ornew risks, and document and evaluate
metricsto measure progress toward objectives.
Steps CAEs should take now
1. Discuss the cloud strategy with the C-suite,and gather
details from functional leadersfor small- and large-scale
adoption.
2. Develop an education plan on cloud
computing for internal audit resources.
3. To get your arms around rapidly evolvingpractices, engage an
adviser to keep
you abreast of trends in technology,enterprise risk,
governance, security,and privacy relevant to the cloud.
© 2011 PricewaterhouseCoopers LLP. All rights reserved.
“PricewaterhouseCoopers” refers to PricewaterhouseCoopers LLP, a
Delaware
limited liability partnership, or, as the context requires, the
PricewaterhouseCoopers global network or other member firms of the
network,each of which is a separate legal entity. This document is
for general information purposes only, and should not be used as a
substitute for
consultation with professional advisors.
4. For existing cloud implementations,engage an independent
party to help assessthe controls at your cloud provider.
How PwC can help
To have a deeper discussion aboutcloud computing, please
contact:
Robert MoritzUS Chairman and Senior Partner
Phone: 646-471-7293Email: [email protected]
Jason Pett Internal Audit Services LeaderPhone:
410-659-3380 Email: [email protected]
Michael PearlUS Cloud Computing LeaderPhone: 408-817-3801Email:
[email protected]
Cara BestonThird Party Assurance for Cloud ComputingPhone:
408-817-1210Email: [email protected]
