Conundrum of the cloud and audit requirements

Cloud computing has enabled companies in every industry with convenient and on-demand network access to applications that enhance business processes and reduce the need for large capital expenditures in IT. Cloud computing's benefits far outweigh any potential security risks, as reputable service providers ensure that privacy and confidentiality are paramount and the integrity of the system cannot be compromised.

However, one area that provides a conundrum lies in the effectiveness of internal controls and audit requirements. "If unauthorised users access information, an organisation's information could be compromised. Cloud providers understand this, and put a variety of safeguards in place to ensure this doesn't happen. Cloud providers also adopt policies for the strict maintenance of audit trails, but user authentication and data breach issues can be caused through a conflict between what the cloud provides and what auditors require," says Richard Firth, CEO of MIP Holdings.

The control and audit issues that arise for companies in the cloud are the result of a disconnect between the technology and audit structures, he explains. "Audit standards have not yet developed to the point where there is clear-cut guidance to auditors regarding how and what to test in a client's operations when these depend on a cloud service provider, and only part of the problem is technical complexity. Just as important is getting the people processes straight and having governance in place, so the initiator of an operation in the cloud is doing things correctly. Another complexity is lines of responsibility: who's doing what? Due to the very nature of the cloud, there are people handling the system and data who are not employed by the company, which can lead to a number of challenges from an auditing point of view."

While outsourcing to external service providers can present security risks, adequate controls and policies that govern data storage, dissemination, and processing ensure that security breaches are extremely unlikely, but because these policies and controls define a company's internal control environment, which has an impact on the reliability of reporting in annual reports or other statements, audit standards require auditors to perform a review and assessment of any such controls that a company adopts. For this reason, decisions that relate to the adoption and use of underlying technologies that dictate a company's data storage, processing, and data sharing policies place significant constraints on the planning, execution, and skill set required to properly carry out any audit engagements.

In addition, maintenance and support IDs create a dilemma of their own, says Firth. "In order to provide its service, and to ensure that the system is running effectively, a cloud provider must have access to the system as a 'Super User'. In that case, the provider has access to the audit record, and could potentially change or delete it. And even if an organisation elected to keep the Super User status with an internal employee, the same challenge exists. It all comes down to the controls and provision of access."

Firth says this conflict between audit requirements and IT begs the question as to how the two can co-exist. "When relying on an external vendor in handling a company's critical applications, it is important for auditors to understand not only the nature and potential benefits of new technologies, but also the risks they present and the impact they may have on the performance of the audit. What needs to be put in place to ensure that all parties can do their job effectively? At what point does the cloud provider become trusted? At what point do audit requirements catch up to the potential of the technology?"