It is important to note that the audit approach carried out is likely to vary, depending on the scale and complexity of the service being used. Questions that internal audit will need to consider before they begin their work include:

• Is the existing audit risk assessment process flexible enough to differentiate between the range of cloud services that might be used?
• Is there a clear understanding of the difference between the organisation and the cloud, and where the technology boundary starts and stops?
• Has sufficient explanation been provided to key internal parties, including directors and the audit committee, to highlight the business reasoning or impact of cloud provision?
• How does the audit work complement the wider supplier assessments that are considering both third and fourth party risks?
• How will samples be selected and are there opportunities to employ data analytics, either via the service provider or in-house, to enable complex analysis that caters for peaks and troughs in provision?
• Are the audit teams knowledgeable about the differences in cloud computing services and do they apply the right approach to deliver effective audit coverage?
• Does the organisation’s strategy for the cloud link to the overall business strategy?

Key risks and challenges

Cloud security

Security is one of the main areas of this report’s focus and requires detailed knowledge. There are a broad range of security controls that need to be considered, from access control and encryption through to cyber defences and monitoring. How the cloud service provider implements recognised security standards will also be critical to consider.

Operational resilience is key to maintaining service

Effective operational resilience is necessary for maintaining service for customers in addition to meeting regulatory and legal requirements. Internal audit will need to consider the level of resilience required and how the cloud provider meets these requirements.

Supplier management and its role in maintaining service

Internal auditors will need to understand how the operating model works and may use service metrics, defined KPIs and meetings with the service provider (or supplier management team) to gain a greater understanding of the cloud.

Governance policies and processes: are they fit for purpose?

There needs to be a clear transition where the business as usual approach effectively embeds into the organisation. An organisation-wide cloud policy needs to be established. Cloud services can be procured easily and there is a risk that without the right governance organisations could lose central control of the IT being used.

Regulatory and legal: the importance of compliance

Cloud provision will need to comply with both regulatory and legal requirements. This complex area is evolving. Financial regulators will be increasingly focused on the potential risk of concentration where a number of large organisations are using a small number of providers, such as Amazon, Google, IBM and Microsoft. A service failure at a large cloud service provider could result in mass disruption.

As the use of cloud technology matures, organisations will be adopting new operational models with increased automation that moves away from traditional IT management and service design. Internal audit will need to consider how it moves towards providing real time assurance.

Access the latest thinking on internal audit:

• Internal audit resource centre