Read time: 3 minutes

Conundrum of the cloud and audit requirements

Cloud computing has enabled companies in every industry with convenient and on-demand network access to applications that enhance business processes and reduce the need for large capital expenditures in IT. Cloud computing's benefits far outweigh any potential security risks, as reputable service providers ensure that privacy and confidentiality are paramount and the integrity of the system cannot be compromised.

However, one area that provides a conundrum lies in the effectiveness of internal controls and audit requirements. "If unauthorised users access information, an organisation's information could be compromised. Cloud providers understand this, and put a variety of safeguards in place to ensure this doesn't happen. Cloud providers also adopt policies for the strict maintenance of audit trails, but user authentication and data breach issues can be caused through a conflict between what the cloud provides and what auditors require," says Richard Firth, CEO of MIP Holdings.

The control and audit issues that arise for companies in the cloud are the result of a disconnect between the technology and audit structures, he explains. "Audit standards have not yet developed to the point where there is clear-cut guidance to auditors regarding how and what to test in a client's operations when these depend on a cloud service provider, and only part of the problem is technical complexity. Just as important is getting the people processes straight and having governance in place, so the initiator of an operation in the cloud is doing things correctly. Another complexity is lines of responsibility: who's doing what? Due to the very nature of the cloud, there are people handling the system and data who are not employed by the company, which can lead to a number of challenges from an auditing point of view."

While outsourcing to external service providers can present security risks, adequate controls and policies that govern data storage, dissemination, and processing ensure that security breaches are extremely unlikely, but because these policies and controls define a company's internal control environment, which has an impact on the reliability of reporting in annual reports or other statements, audit standards require auditors to perform a review and assessment of any such controls that a company adopts. For this reason, decisions that relate to the adoption and use of underlying technologies that dictate a company's data storage, processing, and data sharing policies place significant constraints on the planning, execution, and skill set required to properly carry out any audit engagements.

In addition, maintenance and support IDs create a dilemma of their own, says Firth. "In order to provide its service, and to ensure that the system is running effectively, a cloud provider must have access to the system as a 'Super User'. In that case, the provider has access to the audit record, and could potentially change or delete it. And even if an organisation elected to keep the Super User status with an internal employee, the same challenge exists. It all comes down to the controls and provision of access."

Firth says this conflict between audit requirements and IT begs the question as to how the two can co-exist. "When relying on an external vendor in handling a company's critical applications, it is important for auditors to understand not only the nature and potential benefits of new technologies, but also the risks they present and the impact they may have on the performance of the audit. What needs to be put in place to ensure that all parties can do their job effectively? At what point does the cloud provider become trusted? At what point do audit requirements catch up to the potential of the technology?"

MIP Holdings

MIP Holdings

MIP Holdings is one of the world's leaders in the provision of 'risk-based' billing services to mainly, but not exclusively, the financial services industry. The company designs and develops software solutions that focus on the collection of contributions and payment of benefits in the healthcare, employee benefits and life assurance sectors, as well as in personal finance, integrated lending systems and treasury.

With a focus on meeting client-specific requirements and through extensive investment in technology, MIP 'future proofs' its solutions. Strict adherence to industry standards, as well as stringent internal control over standards and quality assurance, ensure the systems MIP develops meet all client expectations.

Expanding into the telecoms sector through its purchase of Itemate, MIP Holdings provides telecoms operations and management solutions to communications service providers worldwide. The company's specific skills in the area of mobile prepaid value chains, prepaid product life cycle management analysis, voucher management systems and mobile financial services enable it to provide an end-to-end service. Its most recent acquisition, Waytag, further enhanced the company's ability to provide a comprehensive solution to its clients through the unique Waytag offering of location-based services.

MIP Holdings was founded in 1989 and is based in Johannesburg, South Africa, with additional offices in Cape Town and Pretoria.