As organizations begin to transition services to the cloud, there is a need for ongoing assurances from both cloud customers and cloud service providers that controls are put in place and are operating as intended.
An organization’s internal audit can provide visibility into:
- The cloud program’s effectiveness
- Assurance to the board and risk management team on the organization’s cloud risk exposure
- If the business practices are helping the business manage the risk and meet its strategic objectives
The internal audit function can also play a “trusted” advisor role and proactively be involved by working with IT and the business in identifying and addressing the risk associated with the various cloud services and deployment models. In this capacity, the organization is actively taking a risk-based approach on its journey to the cloud.
Also, internal audit can engage with stakeholders, review the current risk framework with a cloud lens, assist with the risk-mitigation strategies, and perform several cloud audits such as:
- The organization’s current cloud-governance program
- Data-classification governance
- Shadow IT
Internal audit will also continue to perform audits in the traditional sense, which are directly dependent on the outputs of the organization’s risk assessment process.
External audits are typically provided by an external company that has an association of registered auditors. External audits typically:
- Provide assurance that legal, regulatory, or contractual requirements are being met
- Occur annually unless otherwise specified
- Provide assurance to parties consuming services that the provider has and is maintaining required controls
Impact of Audit Requirements
Depending on audit depth and purpose, there may be a need to prove out the effectiveness of the controls that are part of a cloud service offerings from a provider. The laws and regulations will have a bearing on what focus the audit should have and the methods that may have an impact on the organization.
Restrictions of Audit Scope Statements
Audit scope restrictions are typically used and enforced to intelligently focus efforts toward areas that are “audit ready” or to restrict relevant components/functions from the audit review.
Additionally, audit scope restrictions are widely used to ensure that the operational impact of the audit will be limited, effectively lowering any risk to production environments and high-priority or essential components required for the delivery of services.
Finally, scope restrictions typically specify operational components and asset restrictions, including acceptable times and time periods (e.g., time of day) and acceptable and unacceptable testing methods (e.g., no destructive testing) to limit impact on production systems. Additionally, many organizations will not permit technical testing of systems and components on live systems/environments, as these could cause denial of service or result in negative or degraded performance.
Note that due to the nature of audits, indemnification of any liability for systems’ performance degradation, along with any other adverse effects, will be required where technical testing is being performed. For most cloud-based audits, the focus will not include technical assessments (as part of contractual requirements); however, audits will be focused on the ability to meet SLAs, contractual requirements, and industry best practice standards/frameworks.
Next article in series – Audit: Planning