Top 3 concerns when choosing a cloud vendor

In a recent article in CNN’s Money, there was a discussion about IBM shifting its corporate strategy away from hardware in favor of cloud computing services. The article says “The company was ill-prepared for its customers’ sudden warm embrace of cloud computing. Why buy big, expensive IBM mainframes and servers when you can pay Amazon (AMZN, Tech30) or Microsoft (MSFT, Tech30) to house all your data for you – for cheaper? Why spend money on software for your computers, when those programs can be hosted in the cloud?”

The shift away from the traditional business model of keeping all IT resources in house is impacting everyone. IT departments in every industry, public and private sectors, and in companies both big and small are advising management to move to cloud computing. If you want to learn about the basics of cloud computing, Amazon Web Services has a wonderful explanation on its website.

The move to cloud computing is directly impacting internal audit departments. Many departments use internal audit software for risk assessments, resource management, audit documentation, reporting, and data analytics. Your IT department may push you to a cloud solution, and the vendor you choose could either provide cloud-only software or have both cloud and on-premise options. So how do you know what to choose?

Let’s first assume the internal audit software solution you are considering meets your functional needs. Addressing the installation options really depends on your IT Security needs, and there are three important variables to consider.

1. Security – One of the biggest topics of conversation for the past few years in internal audit is cyber security. When choosing a cloud option, you should review the security and privacy policies for the application and hosting data center. Look for external assessments like SOC 1, 2 or 3 reports that will attest to the vendor’s security. These should address any concerns around system testing, patching, and monitoring. Also find out what encryption techniques are used by the vendor. Data encryption is usually offered to cover data in transit, or data at rest, or both.
2. Availability – Really any cloud solution is presented as web access to an internal audit software solution. Consider how you specifically are going access the audit software. Does the vendor have a specific browser requirement that is in line with your IT standards? Does the vendor offer the capability to work offline if needed? What is the vendor’s expected availability level (usually 99.9% or better)? How does the vendor provide software updates? What does the disaster recovery program look like?
3. Cost – The cost for the cloud service is typically relative to the number of users who have access, or the amount of data stored, or both. The goal is to find an internal audit solution that costs less than it would to run the system internally. Do not be fooled into thinking that an on-premise option is free. To figure this out, you would need the cost of the hardware, the cost of the database software (e.g. SQL), and administration if the solution were installed in your own data center and managed by your own IT staff.

If you do pursue a cloud computing option, do your own due diligence to find the option that works best for your team and still meets your IT department’s requirements. Remember to evaluate a cloud service provider in accordance with the COSO 2013 framework as an Outsourced Service Provider (OSP). Dependency on OSPs changes the risks of business activities and creates challenges in monitoring activities and related controls. You ultimately have responsibility for the chosen OSP’s system of internal control, so choose wisely. At TeamMate, we take pride in following internal audit industry standards and hosting best practices in our TeamCloud environment. If you are not using TeamMate for your audit department’s cloud computing needs, be sure you choose a vendor who also follows best practices.