Navigating the Risks of Cloud Computing

Embed Size (px)

Citation preview

  • 8/17/2019 Navigating the Risks of Cloud Computing

    1/2

    With small steps, or in wholesale shifts,companies are adopting cloud computing.The economics are too compelling toignore: standardized IT processes atreduced costs can free up IT resources tofocus on differentiating the business.

     Yet risk is elevated because a broadcloud implementation requires changesin processes, people, and systems.

    CAEs have a signicant role to play 

    Chief audit executives should proactivelyengage the C-suite and business leadersto understand what data and applicationsmay be moved to the cloud. They thenshould investigate specic risks andcontrols for near-term cloud adoption.

     As critical IT functions move to thecloud, new risks will arise. Internal audit(IA) should re-evaluate its annual riskassessment, audit scope, and resources

    to support its company’s cloud strategy.

     A proactive lead on risk management

    CAEs should partner with business leadersto perform “preventive auditing” as theircompany executes its cloud adoption plan.

    By identifying the controls and keyperformance indicators needed to managerisks and provider performance, CAEscan take an early lead in cloud strategyplanning and maximize the value of cloudcomputing for their organizations.

    Important roles for Internal Audit may include:

    1. Manage the risks of internal change.Roles and responsibilities change asa cloud model is adopted becauseexisting processes and controls becomeobsolete. IA’s knowledge of business risks,processes, and controls, combined witha proactive assessment of post-cloudprocesses, will enable early identicationof areas of change and risks.

    2. Manage risks of external processes andsystems on the cloud. Responsibilityfor managing risks—includinglegal, regulatory, or reputational—remains with the company, not thecloud provider. Security is top ofmind, and IA should be prepared torecommend oversight requirementsgoverning the cloud provider forsecurity and other prevalent risks.

    3. Provide strong governance over cloudimplementation. IA can providereal-time assurance and insight onattainment of the objectives.

    New risks to consider

    The cloud model requires that IAunderstand the technology and processesunderlying cloud computing, as well asthe complex processes used to assessprovider performance. IA shouldunderstand its company’s contractual,

     Internal audit  An accompanying piece to 10Minutes

    Navigating the risks ofcloud computing

    Highlights

    Cloud computing elevates risk as tried andtrue internal IT privacy and data controls andcompliance processes are replaced.

    Yet a cloud strategy vetted and supportedby internal audit will help companies takeadvantage of the compelling cost benefitswhile managing new risks.

    Internal audit can provide business insightby identifying and communicating internalchanges, external dependencies, andoverall progress on objectives. Assessing

    the impact of the cloud starts withunderstanding the cloud model—private,public, or hybrid—that your company plansto adopt.

    May 2011

  • 8/17/2019 Navigating the Risks of Cloud Computing

    2/2

    Consider how thecloud can impact

     your business:•  How will your

    data be protected?

    • What changes willthe cloud bring to IT?

    •  How will cloudcomputing impactnew revenue recognition?

    •  How will cloud affect your tax deductions?

    • What control assurances does your cloud provider offer?

    operational, and regulatory requirements thatmight be affected. IA should proactively engagetechnology, security, and regulatory specialiststo help assess the impact of cloud adoption.

    Success through governance

     A broad adoption of cloud computing can change virtually every business function, and IA canplay an essential role through governance. IAshould develop an assessment strategy thatdenes the “as is” and “to be” processes for

    assessing service level agreements, monitor theimplementation to identify interdependencies ornew risks, and document and evaluate metricsto measure progress toward objectives.

    Steps CAEs should take now 

    1. Discuss the cloud strategy with the C-suite,and gather details from functional leadersfor small- and large-scale adoption.

    2. Develop an education plan on cloud

    computing for internal audit resources.

    3. To get your arms around rapidly evolvingpractices, engage an adviser to keep

     you abreast of trends in technology,enterprise risk, governance, security,and privacy relevant to the cloud.

    © 2011 PricewaterhouseCoopers LLP. All rights reserved. “PricewaterhouseCoopers” refers to PricewaterhouseCoopers LLP, a Delaware

    limited liability partnership, or, as the context requires, the PricewaterhouseCoopers global network or other member firms of the network,each of which is a separate legal entity. This document is for general information purposes only, and should not be used as a substitute for

    consultation with professional advisors.

    4. For existing cloud implementations,engage an independent party to help assessthe controls at your cloud provider.

    How PwC can help

    To have a deeper discussion aboutcloud computing, please contact:

    Robert MoritzUS Chairman and Senior Partner

    Phone: 646-471-7293Email: [email protected]

    Jason Pett Internal Audit Services LeaderPhone: 410-659-3380 Email: [email protected]

    Michael PearlUS Cloud Computing LeaderPhone: 408-817-3801Email: [email protected]

    Cara BestonThird Party Assurance for Cloud ComputingPhone: 408-817-1210Email: [email protected]