ICAEW: How to audit the cloud

04 December 2018

ICAEW publication seeks to provide internal audit functions with important guidance on the work they should carry out in relevant key issues that include cloud security, customer services, supplier management and legal and regulatory compliance.

It is important to note that the audit approach carried out is likely to vary, depending on the scale and complexity of the service being used. Questions that internal audit will need to consider before they begin their work include:

• Is the existing audit risk assessment process flexible enough to differentiate between the range of cloud services that might be used?
• Is there a clear understanding of the difference between the organisation and the cloud, and where the technology boundary starts and stops?
• Has sufficient explanation been provided to key internal parties, including directors and the audit committee, to highlight the business reasoning or impact of cloud provision?
• How does the audit work complement the wider supplier assessments that are considering both third and fourth party risks?
• How will samples be selected and are there opportunities to employ data analytics, either via the service provider or in-house, to enable complex analysis that caters for peaks and troughs in provision?
• Are the audit teams knowledgeable about the differences in cloud computing services and do they apply the right approach to deliver effective audit coverage?
• Does the organisation’s strategy for the cloud link to the overall business strategy?

Key risks and challenges

Cloud security

Security is one of the main areas of this report’s focus and requires detailed knowledge. There are a broad range of security controls that need to be considered, from access control and encryption through to cyber defences and monitoring. How the cloud service provider implements recognised security standards will also be critical to consider.

Operational resilience is key to maintaining service

Effective operational resilience is necessary for maintaining service for customers in addition to meeting regulatory and legal requirements. Internal audit will need to consider the level of resilience required and how the cloud provider meets these requirements.

Full article

© ICAEW - Institute of Chartered Accountants in England and Wales