As organizations increasingly rely on cloud computing for areas as varied as HR software, email, and financial data storage, internal audit needs to provide oversight of these technologies.
When used optimally, cloud infrastructure and other cloud tools can provide many benefits, such as increased efficiency and flexibility. Yet, the cloud also carries risks in areas around potential security and compliance issues.
To help avoid or minimize these types of risks, internal audit should be involved with cloud computing. One area in particular that internal auditors should be aware of is general IT risk management. By conducting a cloud computing audit, internal auditors can spot potential issues, for example, improper data management controls, as just one example.
From there, internal auditors can make recommendations to reduce risks and identify new opportunities for making the most of cloud computing. Internal auditors don’t need to be cloud experts, but they can use audit best practices to report their findings to relevant leaders who can then improve cloud strategy.
To audit the cloud, consider the following four tips to get you started:
1) Inventory cloud assets
Auditing cloud computing requires mapping your cloud computing environment so you understand what’s at stake. Working with other IT and technology leaders, internal auditors can create an inventory of all the cloud assets in your organization. These include:
- Cloud hosting platforms, e.g., Amazon Web Services, Google Cloud Platform, and Microsoft Azure
- Cloud software tools, e.g., Hubspot, Oracle, and Salesforce
- Third-party cloud usage, e.g., the cloud usage of your website hosting provider
Keep in mind that employees might use cloud applications on their own accord — for example, using a cloud-based graphic design platform out of convenience — without first obtaining approval from IT. Tracking these shadow IT assets can be a challenge. Implementing a cloud audit is a good strategy to identify what employees are using.
2) Assess cloud risks
Once you have a solid inventory of cloud assets, internal audit teams can assess the risks that these different assets provide. Keep in mind that these can be both technical and organizational risks, as Carnegie Mellon University explains.
“Organizational factors include an insufficient organizational cloud strategy, ill-defined organizational roles and responsibilities, insufficient technical skill set, and poor change management practices. Technical factors include inadequate architecture and design; poor integration of on-premises and cloud technologies; and cloud service that lacks needed agility, availability, and security properties,” notes a Carnegie Mellon article.
While specific risks can differ among organizations, you might find that they fall along similar lines as other types of IT and emerging technology risks, like having the right expertise and keeping data secure.
Keeping sensitive data secure is a cloud risk that may also spill over into issues that involve managing remote work protocols, as employees often need greater access to cloud tools that enable working from home.
Much as you might work with your IT and enterprise risk management departments to stay on top of cloud security threats, internal auditors can also collaborate with Human Resources to weigh overall cloud risks and benefits.
3) Review cloud controls
Knowing the risks that cloud computing can pose isn’t enough. A cloud audit should also review cloud controls to see whether sufficient protections are in place or identify ways to make cloud usage more secure and helpful to the organization.
For example, internal audit staff may want to confirm that their organizations are holding up their end of the security bargain, rather than assuming a cloud computing platform will handle everything related to cloud security.
This is because cloud service providers often use a shared responsibility model, which means they “must monitor and respond to security threats related to the cloud itself and its underlying infrastructure. Meanwhile, end users, including individuals and companies, are responsible for protecting data and other assets they store in any cloud environment,” (CrowdStrike, a cybersecurity company).
Internal cloud controls also include cloud compliance, cloud vendor procurement processes, and access management protocols. Internal auditors will likely want to coordinate with IT teams to review access logs to avoid unauthorized or unnecessary access.
4) Identify cloud benefits
While a big component of auditing the cloud is understanding risks and controls, it’s not just about playing defense. Internal auditors can also use cloud auditing to identify ways that the cloud helps an organization.
For example, audit results might indicate increased organizational productivity with increased cloud usage. Those findings could then be presented to leaders in HR and senior management to better inform, adopt, and enhance work-from-home policies.
Using automated audit tools like TeamMate+, allows you to connect to other platforms, such as your preferred Business Intelligence tool, via APIs. That way, you can create reports that pair cloud audit findings with insights from these other tools to suggest ways to get the most out of the cloud; including, but not limited to, analyzing the financial costs of using your own data centers vs. cloud data storage.
Stay on top of the cloud
Cloud services offer many benefits to organizations, but never use them unchecked. Internal auditing for cloud computing can help teams better understand the risks and benefits of the cloud, as well as improve cloud usage. With the right cloud controls in place, you can advance your organization technologically while strengthening your cloud compliance, cloud security posture, and more.
