Auditing in the Cloud

Can Technology improve Audit compliance ..... and how secure is it?

Tony Carrucan CEO Mediasphere

Rich Neal CEO Auditflow

1. Choose your response from the corresponding keypad button(s).

2. The light will go GREEN to confirm your response has been received.

3. You can change your answer (whilst voting is open) simply by pressing your new response button(s).

(The system will only count the last vote)

HOW TO USE THE KEYPADS

Keypad Responses

Please note all responses for this

session will be ANONYMOUS

Where are you from?

12%24%0%2%61%1. Australia

2. NZ

3. Singapore

4. China

5. Other

Are you:

1 2 3

61%

15%

24%

1. Male

2. Female

3. Not sure

Are you in public practice?

1 2

62%

38%

1. Yes

2. No

Do you understand what the Cloud is about?

1 2 3 4

22%

9%

28%

41%

1. Absolutely

2. Sort of

3. Not really

4. Clear as mud

Do you think the Cloud is secure?

1 2 3 4

6%

13%

38%

44%1. Yes

2. I think so

3. I don’t think so

4. No

Do you think content and applications are more likely to be up to date if hosted in the Cloud?

1 2 3 4

40%

9%6%

46%

1. Yes

2. I think so

3. I don’t think so

4. No

Do you audit?

1 2

43%

57%1. Yes

2. No

How many SME audits would you do annually?

1 2 3 4 5 6

42%

21%

5%

16%16%

0%

1. 1 - 5

2. 6 – 10

3. 11 – 15

4. 16 – 20

5. 21 – 50

6. 51+

How many SMSF audits would you do annually?

1 2 3 4 5 6 7

56%

0%

11%

0%0%

33%

0%

1. 1 - 5

2. 6 – 10

3. 11 - 26

4. 27 - 50

5. 51 - 100

6. 101 – 500

7. 500+

The World has Changed!

The Next 5 Years

Device Growth of Adoption

Why is Everyone Talking About the Cloud?Cloud Computing is a revolution that will change your business for the better, letting you work faster, cheaper and better…. and from anywhere, just about.

 Cloud Computing is one term for Internet-based software and hardware platforms – basically, instead of installing programs on your own computer, you access them over the Internet –  Gmail is cloud computing, in fact most of what Google offers is cloud computing – you access it via a web interface.

What is Cloud Computing?

Gartner Cloud Computing Research 2011

Your Company as a Social Enterprise

During his Dreamforce keynote earlier this year, Mark Benioff, CEO of Salesforce spoke of the power and absolute inevitability of the social revolution and the need for companies to transform themselves into social enterprises. All of that is best achieved, he said, through the use of cloud technology and philosophy.

Queensland Premier’s WebsiteToward Q2: Tomorrow’s Queensland

www.myq2.com.au Gov 2.0 in the Cloud

MyQ2 – My Site in the Cloud

Technical Cloud 101= Software, Platform, Infrastructure-as-a-Service

SaaS or Software-as-a-Service is the application allowing you to perform your daily activities/tasks on your desktop computer but on-demand.Software on-demand means you only use when you need, thus only pay and consume resources when you need anywhere anytime.

PaaS or Platform-as-a-Service delivers computing platform allowing your application to consume computing resources as needed.

IaaS or Infrastructure-as-a-Service is the infrastructure or environment where servers and resources are managed and securely monitored.

Where do Acronyms fit in?

Though not all SaaS providers rely on PaaS and/or IaaS

Infrastructure-as-a-Service

Virtualisation2+ Virtual machines with HA

Managed Firewall/Router/VPN etc.

Virtualisation2+ Virtual machines with HA

Managed Firewall/Router/VPN etc.

HardwareDual quad-core Processors, DAS/SAN/NAS storage,

redundant PSU and NIC, etc.

HardwareDual quad-core Processors, DAS/SAN/NAS storage,

redundant PSU and NIC, etc.

NetworkingRouters, VLAN, Managed switches, etc

NetworkingRouters, VLAN, Managed switches, etc

Data commTier-1 Bandwidth, Public/WAN IP, etc

Data commTier-1 Bandwidth, Public/WAN IP, etc

Application Server Stack

Application Server Stack

Application Server Stack

Application Server Stack

Application Server Stack

Application Server Stack

Platform-as-a-Service

DeploymentSoftware deployment, customisation, Billing,

Provisioning, Monitoring

DeploymentSoftware deployment, customisation, Billing,

Provisioning, Monitoring

Development & APIUser Interface, Business Logic, Data Model

Development & APIUser Interface, Business Logic, Data Model

Application ServicesCore computing platform, Queue Services, Scalability,

High Availability, Resource Management

Application ServicesCore computing platform, Queue Services, Scalability,

High Availability, Resource Management

Operating SystemsRHEL, Solaris, Debian, Windows Server, Ubuntu, etc.

Operating SystemsRHEL, Solaris, Debian, Windows Server, Ubuntu, etc.

Software Access

Software Access

Software Access

Software Access

Software Access

Software Access

Data and FileStorage, Database Cluster, & Data warehouse

Data and FileStorage, Database Cluster, & Data warehouse

Software-as-a-Service

User InterfaceUser Interaction, Roles and Access, Customisation,

User InterfaceUser Interaction, Roles and Access, Customisation,

Subscription-based

Subscription-based

Transaction-based

Transaction-based Ad-basedAd-based

Application featuresUser management, Customer management, online

forms, reporting tools, etc.

Application featuresUser management, Customer management, online

forms, reporting tools, etc.

Data AccessControlled access to data directly from application or

Web Service API

Data AccessControlled access to data directly from application or

Web Service API

Data and FilesStorage, Database Cluster, & Data warehouse

Data and FilesStorage, Database Cluster, & Data warehouse

Auditing-as-a-Service

Engagement PartnerMonitor firms audit workflow

Engagement PartnerMonitor firms audit workflow

Review PartnerSee what review points are outstanding with clients

Review PartnerSee what review points are outstanding with clients

ManagerWorking and managing audit engagements

ManagerWorking and managing audit engagements

Junior AuditorWorking on client audit assignments

Junior AuditorWorking on client audit assignments

SME AuditSME Audit Corporate Audit

Corporate Audit SMSF AuditSMSF Audit

Intermediate AuditorWorking on client audit assignments

Intermediate AuditorWorking on client audit assignments

Current challenges with Data

1. Data Confidentiality and Compliancy

2. Data Segregation

3. Data Integrity

• Lack of understanding about cloud technologies leads accountants and auditors to assume that data is safer on their own computers and servers.

• What would happen if you lost your laptop? – is your data encrypted or just protected by your password...how safe is your password.

Lets explore the risks and mitigation strategies in the cloud.

Cloud Computing Adoption

Is cloud computing just a trend or is it a technology that you seriously consider in your business?

• Compliance requirements escalated• Accuracy & responsibility in financial reporting• Simplicity – amongst complexity of changing rules

Financial Planners / Accountants alike require a full suite of reliable, compliant applications.

GFC – What did we learn?

96%

4%

96% of Small / Medium Australian Company auditors

fail compliance test ASIC Report - 2008/2009

Over 570,000 audits conducted in Australia per annum. 450,000 of these are SMSF audits

Over 10 million audits conducted annually worldwide. International Auditing Standards have been adopted by 125 countries

Industry not keeping up with •Changing regulations

•Enormous volume of requirements,

•Low margin for their fees,

•Time constraints,

•Lack of tools & knowledge

The average audit firm using traditional audit practice

- Every now and then, we run out of data storage space, buy more servers, update printer, replace ink, or revert backup because your junior has deleted the wrong folder. Then every year you need to update all your software licenses.

- Why for pay for software, servers, hire a team of IT professionals when all can be on the cloud

Create / Setup Client files

Create / Setup Client files

Preliminary work

Preliminary work

Audit planning process

&Audit

procedures

Audit planning process

&Audit

procedures

Review processReview process

Audit completeand

Archiving

Audit completeand

Archiving

Email & Fax correspondence

Email & Fax correspondence Folder and Files

management through Windows

Explorer

Folder and Files management

through Windows Explorer

Managing Client Contacts

Managing Client Contacts

File versioning and Track changes

File versioning and Track changes

Multi-user accessMulti-user access

Cloud• Easily and constantly updated• Processes to guide compliance• Secure access to data• Unlocks the process• Builds around the client

• Simplifies support• Seamless upgrades• Client centric• Centrally managed

What does it mean to you and your Auditing team (Benefits)

1. Do what you and your audit team excel at doing

2. Reduce cost

3. Mobility and accessibility

4. No software upgrade hassle

5. No tape backup and System backup to worry about

6. Compliance and references up to date and automated

7. Collaboration with audit engagement team

8. Eco-friendly

9. Lesser or no paper storage required

10.Business continuity and high availability

Risks and Issues

1. Security of information

2. Contingency plan

3. Disaster recovery plan

4. Confidentiality of information

5. Always connected

6. Offshore Data Storage, legislation and jurisdiction

Cloud Security

IT analyst firm, Gartner, identifies seven specific security issues that users should raise with app vendors before purchasing.

1.Privileged user access.

• Sensitive data processed outside the enterprise brings with it an inherent level of risk, because outsourced services bypass the "physical, logical and personnel controls" IT shops exert over in-house programs.

• Get as much information as you can about the people who manage your data.

• "Ask providers to supply specific information on the hiring and oversight of privileged administrators, and the controls over their access," Gartner says.

http://www.infoworld.com/d/security-central/gartner-seven-cloud-computing-security-risks-853

Cloud Security

2. Regulatory compliance.

• Customers are ultimately responsible for the security and integrity of their own data, even when it is held by a service provider.

• Traditional service providers are subjected to external audits and security certifications.

• Cloud computing providers who refuse to undergo this scrutiny are "signalling that customers can only use them for the most trivial functions," according to Gartner.

3. Data location.

• When you use the cloud, you probably won't know exactly where your data is hosted. In fact, you might not even know what country it will be stored in.

• Ask providers if they will commit to storing and processing data in specific jurisdictions, and whether they will make a contractual commitment to obey local privacy requirements on behalf of their customers, Gartner advises.

Cloud Security

Cloud Security

4. Data segregation.

• Data in the cloud is typically in a shared environment alongside data from other customers. Encryption is effective but isn't a cure-all.

• "Find out what is done to segregate data at rest," Gartner advises.

• The cloud provider should provide evidence that encryption schemes were designed and tested by experienced specialists.

• "Encryption accidents can make data totally unusable, and even normal encryption can complicate availability," Gartner says.

Cloud Security

5. Recovery.

• Even if you don't know where your data is, a cloud provider should tell you what will happen to your data and service in case of a disaster.

• "Any offering that does not replicate the data and application infrastructure across multiple sites is vulnerable to a total failure," Gartner says.

• Ask your provider if it has "the ability to do a complete restoration, and how long it will take."

Cloud Security

6. Investigative support.

• Investigating inappropriate or illegal activity may be impossible in cloud computing, Gartner warns.

• "Cloud services are especially difficult to investigate, because logging and data for multiple customers may be co-located and may also be spread across an ever-changing set of hosts and data centres.

• If you cannot get a contractual commitment to support specific forms of investigation, along with evidence that the vendor has already successfully supported such activities, then your only safe assumption is that investigation and discovery requests will be impossible."

Cloud Security

7. Long-term viability.

• Ideally, your cloud computing provider will never go broke or get acquired and swallowed up by a larger company. But you must be sure your data will remain available even after such an event.

• "Ask potential providers how you would get your data back and if it would be in a format that you could import into a replacement application," Gartner says.

Top security tips for you and what you can do

As a end-user, we must consider the following:

1. Strong password – more than 8 characters, combination of alphanumeric and uppercase/lowercase characters.

2. Replacing alpha characters in your password with special characters;

eg. a -> @, i -> !, b -> 6, q -> 9, s -> 5 or %, e -> 3 or #

http://howsecureismypassword.net/

3. Have a security question answer that has nothing to do with the question

4. Not to use remember me feature on your web browser

5. Ensure you login through and stay on HTTPS protocol. If your App vendor don’t provide it then question whether possible exposed data is acceptable in the type of work you are undertaking.

Common security practices by providers

1. Application level Encrypted data transfer through VPN or HTTPS protocols Encrypted passwords Provide captcha after multiple login failure attempts Policy and role based access Uploading file restriction At the code-base level: SQL Injection proof, data defamation, Session

management

2. Platform level Firewall and IP tables Access log and Monitoring tools

3. Infrastructure level DMZ and first level of Firewall Network Isolation (VLAN, domain (Ipsec) security, etc)

Do you understand what the Cloud is about?

1 2 3 4

61%

3%0%

35%

1. Absolutely

2. Sort of

3. Not really

4. Clear as mud

Do you think the Cloud is secure?

1 2 3 4

35%

12%12%

42%1. Yes

2. I think so

3. I don’t think so

4. No

Do you think content and applications are more likely to be up to date if hosted in the Cloud?

1 2 3 4

69%

0%3%

28%

1. Yes

2. I think so

3. I don’t think so

4. No

THANK-YOU!Please leave your

keypad on the table or your chair, it won’t

open your garage door or turn on your TV!

I have programmed it to send an electric

bolt if you take out of room … Thank you www.keepad.com

References and future readings

http://www.mindtouch.com/blog/2008/05/28/differences-between-saas-and-cloud-software/

http://www.infoworld.com/d/security-central/gartner-seven-cloud-computing-security-risks-853

http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf

http://cloudsecurity.trendmicro.com/tag/iaas/

http://blogs.oracle.com/gbrunett/entry/security_recommendations_for_iaas_providers

http://social.technet.microsoft.com/wiki/contents/articles/3794.aspx

http://social.technet.microsoft.com/wiki/contents/articles/security-implications-of-cloud-service-models.aspx

http://www.csoonline.com/article/660065/saas-paas-and-iaas-a-security-checklist-for-cloud-models

http://www.securityinfowatch.com/root%20level/7-requirements-saas

http://www.saasblogs.com/saas/demystifying-the-cloud-where-do-saas-paas-and-other-acronyms-fit-in/

http://www.rightwaysolution.com/SaaS.html

Charles, E. Getting your head around the cloud, In Practice Magazine, 2011, Issue 1

Keep in Contact

Tony Carrucan

CEO Mediasphere

tonyc@mediasphere.com.au

www.mediasphere.com.au

Richard Neal

CEO Auditflow

rich.neal@auditflow.com

www.auditflow.com.au