Auditing cloud computing

K.P. SHASHIDHARAN | Updated on: Jun 24, 2011


Internal audit has to evolve from its traditional passive role of looking at internal control and compliance issues to being a proactive strategic value advisor.

The use of cloud computing is rapidly expanding all over the world at an amazing pace because of its tangible benefits in cost reduction of IT services by obtaining them over the Internet.

Possible advantages are quite obvious: ability to reduce capital expenditure, share the services ensuring massive, often seemingly unlimited scalability, the ability to dial up usage or pay as you use and when required, reduce IT related expenses and thereby enhance competitive advantage along with bottom line.

In a typical cloud service model, External Service Provider (ESP) offers various IT services to the business, depending on the Service Level Agreement (SLA) and selection of services.

Cloud Service Provider (CSP) makes available Software as a service, (SaaS), Application as a Service (AaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS).

In case of SaaS, complete applications such as Customer Relations Management, Enterprise Resource Management, Internet file stores, spam filters are made available by ESP.

In PaaS, workflow, document management, data services, APIs, are offered; in IaaS, core infrastructure services such as operating systems, data storage, Web servers, edge catching services are undertaken by vendors like Rackspace, GoGrid, and Amazon EC2.

Risk management

Though cloud computing services have unique advantages , there are critical issues relating to confidentiality, data integrity, security, availability, disaster preparedness, tax implications and other risks. Most of these challenges arise out of loss of physical control over IT assets and services.

Major failures such as Amazon Web Services due to break down of redundant power system, loss of data by Microsoft, Google, Virgin Blue Airline etc. point to the magnitude of risks involved in depending on the external service provider for critical services.

Internal audit needs to evolvefrom its traditional passive role of looking at internal control and compliance issues to a proactive role of a strategic value advisor.

Role of audit

Audit should help in planning and organising, acquisition and implementation, delivery and support, monitoring and evaluation of technology selection, regulatory compliance, selection and performance of third party service providers and suppliers and contract compliance. Information system audit checks should be used to test confidentiality, data integrity, availability, security, authentication, reliability etc. It should take increasing responsibility and ensure value addition in key strategic domains such as brand protection, mergers and acquisitions, customer relations, cost reduction and revenue maximization, fraud detection, control and prevention, data governance and quality, keeping in pace with rapidly changing business environment and the way business is carried out in a cloud service environment.

Audit should focus on value addition by supporting strategic initiatives, providing high quality business insights as an integral part of the process and should also actively involve in continuous monitoring, evaluation and improvement of control environment and regulatory compliance.

Tech infrastructure

Important audit concerns are focussed on creation and maintenance of a technology infrastructure plan in alignment with IT strategic and tactical plans based on technology direction, contingency arrangement, and direction for acquisition of technology resources.

Internal audit should also focus on critical business concerns while adopting a cloud computing strategy such as classification of data on the basis of sensitivity and criticality of business, security issues along with legal and privacy implications, formulation of appropriate cloud policies and procedures, retrieval of data, disaster management and identification of services which can be depended on the cloud without serious business risk.

In nutshell, auditing should evolve as a value adding, assurance providing, consulting activity, based on objective, independent evaluation of control environment, systems and procedures and continuously monitoring for improving governance process and risk management to help the organisation accomplish its business objectives.

(The author is Director General, CAG Office.)

Published on June 16, 2011
This article is closed for comments.
Please Email the Editor

You May Also Like

Recommended for you