Upload
tcarrucan
View
646
Download
3
Tags:
Embed Size (px)
DESCRIPTION
This presentation provides information and tips to assist accountants and audits in introducing cloud technologies into their business. Auditflow - www.auditflow.com - offers a range of innovative audit compliance solutions. Mediasphere - www.mediasphere.com.au - builds websites and client portals for accountants and auditors globally.Contact Tony Carrucan on [email protected] for more information
Citation preview
Auditing in the Cloud
Can Technology improve Audit compliance ..... and how secure is it?
Tony Carrucan CEO Mediasphere
Rich Neal CEO Auditflow
1. Choose your response from the corresponding keypad button(s).
2. The light will go GREEN to confirm your response has been received.
3. You can change your answer (whilst voting is open) simply by pressing your new response button(s).
(The system will only count the last vote)
HOW TO USE THE KEYPADS
Keypad Responses
Please note all responses for this
session will be ANONYMOUS
Where are you from?
12%24%0%2%61%1. Australia
2. NZ
3. Singapore
4. China
5. Other
Are you:
1 2 3
61%
15%
24%
1. Male
2. Female
3. Not sure
Are you in public practice?
1 2
62%
38%
1. Yes
2. No
Do you understand what the Cloud is about?
1 2 3 4
22%
9%
28%
41%
1. Absolutely
2. Sort of
3. Not really
4. Clear as mud
Do you think the Cloud is secure?
1 2 3 4
6%
13%
38%
44%1. Yes
2. I think so
3. I don’t think so
4. No
Do you think content and applications are more likely to be up to date if hosted in the Cloud?
1 2 3 4
40%
9%6%
46%
1. Yes
2. I think so
3. I don’t think so
4. No
Do you audit?
1 2
43%
57%1. Yes
2. No
How many SME audits would you do annually?
1 2 3 4 5 6
42%
21%
5%
16%16%
0%
1. 1 - 5
2. 6 – 10
3. 11 – 15
4. 16 – 20
5. 21 – 50
6. 51+
How many SMSF audits would you do annually?
1 2 3 4 5 6 7
56%
0%
11%
0%0%
33%
0%
1. 1 - 5
2. 6 – 10
3. 11 - 26
4. 27 - 50
5. 51 - 100
6. 101 – 500
7. 500+
The World has Changed!
The Next 5 Years
Device Growth of Adoption
Why is Everyone Talking About the Cloud?Cloud Computing is a revolution that will change your business for the better, letting you work faster, cheaper and better…. and from anywhere, just about.
Cloud Computing is one term for Internet-based software and hardware platforms – basically, instead of installing programs on your own computer, you access them over the Internet – Gmail is cloud computing, in fact most of what Google offers is cloud computing – you access it via a web interface.
What is Cloud Computing?
Gartner Cloud Computing Research 2011
Your Company as a Social Enterprise
During his Dreamforce keynote earlier this year, Mark Benioff, CEO of Salesforce spoke of the power and absolute inevitability of the social revolution and the need for companies to transform themselves into social enterprises. All of that is best achieved, he said, through the use of cloud technology and philosophy.
Queensland Premier’s WebsiteToward Q2: Tomorrow’s Queensland
www.myq2.com.au Gov 2.0 in the Cloud
MyQ2 – My Site in the Cloud
Technical Cloud 101= Software, Platform, Infrastructure-as-a-Service
SaaS or Software-as-a-Service is the application allowing you to perform your daily activities/tasks on your desktop computer but on-demand.Software on-demand means you only use when you need, thus only pay and consume resources when you need anywhere anytime.
PaaS or Platform-as-a-Service delivers computing platform allowing your application to consume computing resources as needed.
IaaS or Infrastructure-as-a-Service is the infrastructure or environment where servers and resources are managed and securely monitored.
Where do Acronyms fit in?
Though not all SaaS providers rely on PaaS and/or IaaS
Infrastructure-as-a-Service
Virtualisation2+ Virtual machines with HA
Managed Firewall/Router/VPN etc.
Virtualisation2+ Virtual machines with HA
Managed Firewall/Router/VPN etc.
HardwareDual quad-core Processors, DAS/SAN/NAS storage,
redundant PSU and NIC, etc.
HardwareDual quad-core Processors, DAS/SAN/NAS storage,
redundant PSU and NIC, etc.
NetworkingRouters, VLAN, Managed switches, etc
NetworkingRouters, VLAN, Managed switches, etc
Data commTier-1 Bandwidth, Public/WAN IP, etc
Data commTier-1 Bandwidth, Public/WAN IP, etc
Application Server Stack
Application Server Stack
Application Server Stack
Application Server Stack
Application Server Stack
Application Server Stack
Platform-as-a-Service
DeploymentSoftware deployment, customisation, Billing,
Provisioning, Monitoring
DeploymentSoftware deployment, customisation, Billing,
Provisioning, Monitoring
Development & APIUser Interface, Business Logic, Data Model
Development & APIUser Interface, Business Logic, Data Model
Application ServicesCore computing platform, Queue Services, Scalability,
High Availability, Resource Management
Application ServicesCore computing platform, Queue Services, Scalability,
High Availability, Resource Management
Operating SystemsRHEL, Solaris, Debian, Windows Server, Ubuntu, etc.
Operating SystemsRHEL, Solaris, Debian, Windows Server, Ubuntu, etc.
Software Access
Software Access
Software Access
Software Access
Software Access
Software Access
Data and FileStorage, Database Cluster, & Data warehouse
Data and FileStorage, Database Cluster, & Data warehouse
Software-as-a-Service
User InterfaceUser Interaction, Roles and Access, Customisation,
User InterfaceUser Interaction, Roles and Access, Customisation,
Subscription-based
Subscription-based
Transaction-based
Transaction-based Ad-basedAd-based
Application featuresUser management, Customer management, online
forms, reporting tools, etc.
Application featuresUser management, Customer management, online
forms, reporting tools, etc.
Data AccessControlled access to data directly from application or
Web Service API
Data AccessControlled access to data directly from application or
Web Service API
Data and FilesStorage, Database Cluster, & Data warehouse
Data and FilesStorage, Database Cluster, & Data warehouse
Auditing-as-a-Service
Engagement PartnerMonitor firms audit workflow
Engagement PartnerMonitor firms audit workflow
Review PartnerSee what review points are outstanding with clients
Review PartnerSee what review points are outstanding with clients
ManagerWorking and managing audit engagements
ManagerWorking and managing audit engagements
Junior AuditorWorking on client audit assignments
Junior AuditorWorking on client audit assignments
SME AuditSME Audit Corporate Audit
Corporate Audit SMSF AuditSMSF Audit
Intermediate AuditorWorking on client audit assignments
Intermediate AuditorWorking on client audit assignments
Current challenges with Data
1. Data Confidentiality and Compliancy
2. Data Segregation
3. Data Integrity
• Lack of understanding about cloud technologies leads accountants and auditors to assume that data is safer on their own computers and servers.
• What would happen if you lost your laptop? – is your data encrypted or just protected by your password...how safe is your password.
Lets explore the risks and mitigation strategies in the cloud.
Cloud Computing Adoption
Is cloud computing just a trend or is it a technology that you seriously consider in your business?
• Compliance requirements escalated• Accuracy & responsibility in financial reporting• Simplicity – amongst complexity of changing rules
Financial Planners / Accountants alike require a full suite of reliable, compliant applications.
GFC – What did we learn?
96%
4%
96% of Small / Medium Australian Company auditors
fail compliance test ASIC Report - 2008/2009
Over 570,000 audits conducted in Australia per annum. 450,000 of these are SMSF audits
Over 10 million audits conducted annually worldwide. International Auditing Standards have been adopted by 125 countries
Industry not keeping up with •Changing regulations
•Enormous volume of requirements,
•Low margin for their fees,
•Time constraints,
•Lack of tools & knowledge
The average audit firm using traditional audit practice
- Every now and then, we run out of data storage space, buy more servers, update printer, replace ink, or revert backup because your junior has deleted the wrong folder. Then every year you need to update all your software licenses.
- Why for pay for software, servers, hire a team of IT professionals when all can be on the cloud
Create / Setup Client files
Create / Setup Client files
Preliminary work
Preliminary work
Audit planning process
&Audit
procedures
Audit planning process
&Audit
procedures
Review processReview process
Audit completeand
Archiving
Audit completeand
Archiving
Email & Fax correspondence
Email & Fax correspondence Folder and Files
management through Windows
Explorer
Folder and Files management
through Windows Explorer
Managing Client Contacts
Managing Client Contacts
File versioning and Track changes
File versioning and Track changes
Multi-user accessMulti-user access
Cloud• Easily and constantly updated• Processes to guide compliance• Secure access to data• Unlocks the process• Builds around the client
• Simplifies support• Seamless upgrades• Client centric• Centrally managed
What does it mean to you and your Auditing team (Benefits)
1. Do what you and your audit team excel at doing
2. Reduce cost
3. Mobility and accessibility
4. No software upgrade hassle
5. No tape backup and System backup to worry about
6. Compliance and references up to date and automated
7. Collaboration with audit engagement team
8. Eco-friendly
9. Lesser or no paper storage required
10.Business continuity and high availability
Risks and Issues
1. Security of information
2. Contingency plan
3. Disaster recovery plan
4. Confidentiality of information
5. Always connected
6. Offshore Data Storage, legislation and jurisdiction
Cloud Security
IT analyst firm, Gartner, identifies seven specific security issues that users should raise with app vendors before purchasing.
1.Privileged user access.
• Sensitive data processed outside the enterprise brings with it an inherent level of risk, because outsourced services bypass the "physical, logical and personnel controls" IT shops exert over in-house programs.
• Get as much information as you can about the people who manage your data.
• "Ask providers to supply specific information on the hiring and oversight of privileged administrators, and the controls over their access," Gartner says.
http://www.infoworld.com/d/security-central/gartner-seven-cloud-computing-security-risks-853
Cloud Security
2. Regulatory compliance.
• Customers are ultimately responsible for the security and integrity of their own data, even when it is held by a service provider.
• Traditional service providers are subjected to external audits and security certifications.
• Cloud computing providers who refuse to undergo this scrutiny are "signalling that customers can only use them for the most trivial functions," according to Gartner.
3. Data location.
• When you use the cloud, you probably won't know exactly where your data is hosted. In fact, you might not even know what country it will be stored in.
• Ask providers if they will commit to storing and processing data in specific jurisdictions, and whether they will make a contractual commitment to obey local privacy requirements on behalf of their customers, Gartner advises.
Cloud Security
Cloud Security
4. Data segregation.
• Data in the cloud is typically in a shared environment alongside data from other customers. Encryption is effective but isn't a cure-all.
• "Find out what is done to segregate data at rest," Gartner advises.
• The cloud provider should provide evidence that encryption schemes were designed and tested by experienced specialists.
• "Encryption accidents can make data totally unusable, and even normal encryption can complicate availability," Gartner says.
Cloud Security
5. Recovery.
• Even if you don't know where your data is, a cloud provider should tell you what will happen to your data and service in case of a disaster.
• "Any offering that does not replicate the data and application infrastructure across multiple sites is vulnerable to a total failure," Gartner says.
• Ask your provider if it has "the ability to do a complete restoration, and how long it will take."
Cloud Security
6. Investigative support.
• Investigating inappropriate or illegal activity may be impossible in cloud computing, Gartner warns.
• "Cloud services are especially difficult to investigate, because logging and data for multiple customers may be co-located and may also be spread across an ever-changing set of hosts and data centres.
• If you cannot get a contractual commitment to support specific forms of investigation, along with evidence that the vendor has already successfully supported such activities, then your only safe assumption is that investigation and discovery requests will be impossible."
Cloud Security
7. Long-term viability.
• Ideally, your cloud computing provider will never go broke or get acquired and swallowed up by a larger company. But you must be sure your data will remain available even after such an event.
• "Ask potential providers how you would get your data back and if it would be in a format that you could import into a replacement application," Gartner says.
Top security tips for you and what you can do
As a end-user, we must consider the following:
1. Strong password – more than 8 characters, combination of alphanumeric and uppercase/lowercase characters.
2. Replacing alpha characters in your password with special characters;
eg. a -> @, i -> !, b -> 6, q -> 9, s -> 5 or %, e -> 3 or #
http://howsecureismypassword.net/
3. Have a security question answer that has nothing to do with the question
4. Not to use remember me feature on your web browser
5. Ensure you login through and stay on HTTPS protocol. If your App vendor don’t provide it then question whether possible exposed data is acceptable in the type of work you are undertaking.
Common security practices by providers
1. Application level Encrypted data transfer through VPN or HTTPS protocols Encrypted passwords Provide captcha after multiple login failure attempts Policy and role based access Uploading file restriction At the code-base level: SQL Injection proof, data defamation, Session
management
2. Platform level Firewall and IP tables Access log and Monitoring tools
3. Infrastructure level DMZ and first level of Firewall Network Isolation (VLAN, domain (Ipsec) security, etc)
Do you understand what the Cloud is about?
1 2 3 4
61%
3%0%
35%
1. Absolutely
2. Sort of
3. Not really
4. Clear as mud
Do you think the Cloud is secure?
1 2 3 4
35%
12%12%
42%1. Yes
2. I think so
3. I don’t think so
4. No
Do you think content and applications are more likely to be up to date if hosted in the Cloud?
1 2 3 4
69%
0%3%
28%
1. Yes
2. I think so
3. I don’t think so
4. No
THANK-YOU!Please leave your
keypad on the table or your chair, it won’t
open your garage door or turn on your TV!
I have programmed it to send an electric
bolt if you take out of room … Thank you www.keepad.com
References and future readings
http://www.mindtouch.com/blog/2008/05/28/differences-between-saas-and-cloud-software/
http://www.infoworld.com/d/security-central/gartner-seven-cloud-computing-security-risks-853
http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf
http://cloudsecurity.trendmicro.com/tag/iaas/
http://blogs.oracle.com/gbrunett/entry/security_recommendations_for_iaas_providers
http://social.technet.microsoft.com/wiki/contents/articles/3794.aspx
http://social.technet.microsoft.com/wiki/contents/articles/security-implications-of-cloud-service-models.aspx
http://www.csoonline.com/article/660065/saas-paas-and-iaas-a-security-checklist-for-cloud-models
http://www.securityinfowatch.com/root%20level/7-requirements-saas
http://www.saasblogs.com/saas/demystifying-the-cloud-where-do-saas-paas-and-other-acronyms-fit-in/
http://www.rightwaysolution.com/SaaS.html
Charles, E. Getting your head around the cloud, In Practice Magazine, 2011, Issue 1
Keep in Contact
Tony Carrucan
CEO Mediasphere
www.mediasphere.com.au
Richard Neal
CEO Auditflow
www.auditflow.com.au