Auditing Cloud Computing: Adapting
to Changes in Data Management
IIA and ISACA Joint Meeting
March 12, 2013
Presented by:
Jay Hoffman (AEP), John Didlott (AEP),
and Charles Saunders (Franklin University)
Overview of Presentation
1. Charles: Do internal audit fundamentals
apply to cloud computing?
2. Jay: How does cloud computing make it into
my audit universe?
3. John: How do you execute and sustain the
audit plan?
Do internal audit fundamentals apply
to cloud computing?
• In a word, YES!
– Cloud computing is a significant strategic decision.
– Cloud computing has significant financial impact.
– Cloud computing has significant risk implications.
– Cloud computing has significant control
considerations.
– Cloud computing requires significant management
involvement, oversight, and governance.
COSO Definition of Internal Control
• A process, effected by an entity’s board of
directors, management and other personnel,
designed to provide reasonable assurance
regarding the achievement of objectives in the
following categories:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations.
COSO Definition of Enterprise Risk
Management
• Enterprise Risk Management is a process,
effected by an entity’s board of directors,
management and other personnel, applied in
strategy setting and across the enterprise,
designed to identify potential events that may
affect the entity, and manage risk to be within
its risk appetite, to provide reasonable
assurance regarding the achievement of entity
objectives.
Ten Principles of Cloud Computing Risk
Source: Vohradsky, D. (2012). Cloud risk—10 principles and a framework for assessment. ISACA Journal, 5, 31-41.
1.
2.
3.
4.
5.
6.
7.
Executives must have oversight over the cloud.
Management must own the risks in the cloud.
All necessary staff must have knowledge of the cloud.
Management must know who is using the cloud.
Management must authorize what is put in the cloud.
Mature IT processes must be followed in the cloud.
Management must buy or build management and
security in the cloud.
8. Management must ensure cloud use is compliant.
9. Management must monitor risk in the cloud.
10. Best practices must be followed in the cloud.
Risk Implications and Responses
Source: The Committee of Sponsoring Organizations of the Treadway Commission (COSO), 2012.
1.
2.
3.
4.
5.
6.
7.
8.
9.
Unauthorized cloud activity  Cloud policies and controls
Lack of transparency  Assessments of cloud service provider (CSP)
control environment
Security, compliance, data leakage, data jurisdiction  Data
classification policies and processes
Transparency and relinquishing direct control  Management oversight,
operations monitoring controls
Reliability, performance, high-value cyber-attack target  Preventative
measures; incident management
Non-compliance with regulations  Monitoring of the external
environment
Vendor lock-in  Preparation of an exit strategy
Non-compliance with disclosure requirements New disclosures in
financial reporting
All risks  ERM; Internal Audit; Board oversight; management
awareness and involvement
Selected Sources of Information about
Cloud Computing Risks and Controls
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
COSO
IIA
ISACA (e.g., COBIT 5, other publications and guidance)
IEEE (Institute of Electrical and Electronic Engineers )
ENISA (European Network and Information Security Agency)
OWASP (Open Web Application Security Project)
CSA (Cloud Security Alliance)
NIST (National Institute of Standards and Technology)
ISO 27001
ISO/IEC 9126
AICPA
Audit Plan Development Process
External Influences
• News/Events
• Deloitte Input
• Regulatory Compliance
Rules & Laws
Internal Influences
• AEP Strategy
• Enterprise Risk
• Management
Interviews
• Prior Audits
AUDIT
UNIVERSE
Risk-Based
Prioritization
Emerging Risks
Ongoing Risks
Audit
Strategy
Reactive Risks
Professional Influences
• Trade/EEI
• Institute of Internal
Auditors
• Audit Directors
Roundtable
• Etc.
Preliminary
Audit
Plan
9
Auditing Cloud Computing
John Didlott
March 2013
10
Agenda













Cloud Audit Drivers
Audit Planning
Cloud Drivers
Audit Planning
Scope and Objectives
Risks Assessment
Engagement Risks
Risk Factors
Mitigating Risk
Risks not Specific to the Cloud
Security Benefits
Cloud Audit Program Resources
Questions?
11
Our Audit and Why
 Data Ownership
 Third party relationship
 Cyber Security
12
Audit Planning
 Preparing for the audit
• What do you really have in the “Cloud”?
• What types of clouds are utilized within your
organization?
• Where do you start?
13
Objectives and Scope
 Objectives
• Data Security
• Control Deficiencies
• Service Provider Reliability/System Availability
 Scope
• Governance
• Contractual Compliance
• Control Issues specific to Cloud Computing
14
Risk Assessment
 What is involved in creating the Risk Assessment
for a cloud environment?
 What are the risk factors that apply to cloud
computing?
15
Engagement Risks
 Risks based on Managements Objectives
• Security, Cost and System Availability
 Efficiency/Effectiveness of operations
• Access to data
• System Failure
 Reliability of information
• Data Security and Availability
16
Risk Factors
 The Audit Clause
• How important is the audit clause?
• Before you can look at the risk, you need to
determine the following question.
• What does the cloud contracts allow me to do?
17
Risk Factors Cont…
 Governance and Compliance
• A cloud solution moves control over governance
and compliance to the cloud provider
 Conflicting Security Procedures of Provider
• The security procedures at both the provider
and customer’s end
 Abuse of Privilege at Provider’s End
• How is access granted at the clouds provider?
18
Risk Factors Cont…
 Data Security
• What are the data protection risks I am facing
 Ineffective deletion of data
• When I delete data, is the data actually being
deleted?
 Lock In/Service portability
• Data formats and interfaces could make if
difficult for data portability
19
Risk Factors Cont…
 Multi-tenancy environment
• If you data contains information that needs to be
protected, do you want the data stored in a
public (shared) cloud?
 Lack of Compliance Assurance
• Does your provider meet industry standards and
security requirements?
 Lack of Transparency in Supply Chain
• What are the services the third party is
providing
20
Risk Factors Cont…
 Resource Limitations
• Inaccurate modeling and planning
 Remote Access Vulnerabilities
• How can your data be accessed?
 Business Continuity (BC) Planning and Disaster
Recovery (DR)
• What does your cloud providers provider have
in place?
21
Strategies for Mitigating Risk
 Get involved at the beginning
• Start before a contact is signed
 Use encryption in the cloud
• Prevention of disclosure
 Develop a stronger auditing approach around the
providers facilities and logs
• Ensure that access to facilities and logs is
available
22
Strategies for Mitigating Risk Cont…
 Leverage Expertise
• Determine how data is handled at the providers
end
 Security Certificates
• Do they confirm to industry standards?
 Data Breaches
• What actions can you take to protect yourself
monetarily?
23
Risks not specific to the Cloud
 Network Breaks
• How would this effect your business?
 Network Management
• Can effect Company reputation
• Customer Trust
24
Risks not specific to the Cloud Cont…
 Unauthorized access to facilities
• What could happen if a unauthorized access
occurred?
 Natural Disasters
• Can effect Company reputation
• Along with Customer Trust
25
Security Benefits
 Security and the benefits of scale
• cheaper when implemented on a larger scale
 Security as a market differentiator
• Reputation or Provider
 Standardized interfaces for managed security
services
• Open interface to managed security
26
Security Benefits Cont…
 Rapid, smart scaling of resources
• Reallocation of resources
 Audit and evidence-gathering
• Dedicated forensic images of virtual machines
 More timely, effective and efficient updates and
defaults
• More efficient around updates
27
Cloud Audit Program Resources
ISACA – Cloud Computing Management Audit/Assurance Program
http://www.isaca.org/Knowledge-Center/ITAF-IT-Assurance-Audit-/AuditPrograms/Pages/ICQs-and-Audit-Programs.aspx
Cloud Federal Privacy Recommendations
http://www.privacylives.com/wp-content/uploads/2010/08/Privacy-Recommendations-CloudComputing-8-19-2010.pdf
CSA Cloud Security Guidance
http://www.cloudsecurityalliance.org/csaguide.pdf
NIST Cloud Presentations
http://csrc.nist.gov/groups/SNS/cloud-computing/index.html
GSA Cloud Guidance
http://www.gao.gov/new.items/d10855t.pdf
28
Questions?
29