As the popularity of cloud computing has increased over the last decade, so has the maturity of standards used govern these resources. This article will provide a definition of cloud computing and cloud computing audit, the objectives of cloud computing, the scope of a cloud computing audit, and audit steps to expect.
Cloud Computing Definitions
The definition of cloud computing is best defined by the National Institute of Standard and Technology (NIST). NIST is portion of the U.S. Department of Commerce with the mission of encouraging innovation through science, technology, and standards, including cloud computing. According to NIST, “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.”
This definition was created to set a baseline for the discussion around cloud computing. As defined in the definition, cloud computing includes five essential characteristics (on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service), three service models (software-as-a-service, platform-as-a-service, and infrastructure-as-a-service) and finally four deployment models (private cloud, community cloud, public cloud, and hybrid cloud). The different characteristics, service models, and deployment models can be shaped and morphed into different resources depending on the needs of the organization. For a more detailed breakdown of the different cloud characteristics, service models, and deployment models, check out my blog Climbing to the Top: Understanding Major Cloud Service Providers.
Cloud Computing Audit:
In general, an audit is when a third party, independent group is engaged to obtain evidence through inquiry, physical inspection, observation, confirmation, analytics procedures, and/or re-performance.
In a cloud computing audit, a variation of these steps are completed in order to form an opinion over the design and operational effectiveness of controls identified in the following areas:
- Security incidents
- Network security
- System development or change management
- Risk management
- Data management
- Vulnerability and remediation management
- Tone at the top or leaderships commitment to transparency and ethical behavior
What are cloud computing audit objectives?
During the planning and execution stages of an audit, it’s important to have a clear understanding of what the objectives of the audit include. Companies should strive to align their business objectives with the objectives of the audit. This will ensure that time and resources spent will help achieve a strong internal control environment and lower the risk of a qualified opinion.
Auditors use objectives as a way of concluding on the evidence they obtain. Below is a sample list of cloud computing objectives that can be used by auditor and businesses alike.
- Define a Strategic IT Plan: The use of IT resources should align with company business strategies. When defining this objective, some key considerations should include whether IT investments are supported by a strong business case and what education will be required during the rollout of new IT investments.
- Define the Information Architecture: The information architecture includes the network, systems, and security requirements needed to safeguard the integrity and security of information. Whether the information is at rest, in-transit or being processed.
- Define the IT Processes, Organization, and Relationships: Creating processes that are documented, standardized, and repeatable creates for a more stable IT environment. Businesses should focus on creating policies and procedures that include organization structure, roles and responsibilities, system ownership, risk management, information security, segregation of duties, change management, incident management, and disaster recovery.
- Communicate Management Aims and Direction: Management should make sure its policies, mission, and objectives are communicated across the organization.
- Assess and Manage IT Risks: Management should document those risks that could affect the objectives of the company. These could include security vulnerabilities, laws and regulations, access to customer or other sensitive information, etc.
- Identify Vendor Management Security Controls: As companies are relying on other vendors such as AWS to host their infrastructure or ADP for payroll processing, companies need to identify those risks that could affect the reliability, accuracy, and safety of sensitive information.
The list above is just a small sample of objectives that should be considered. The Information Systems Audit and Control Association, now known as ISACA is an independent, nonprofit which “engages in the development, adoption and use of globally accepted, industry-leading knowledge and practices for information systems.” For a more comprehensive list of objectives, reference ISACA’s IT Control Objectives for Cloud Computing: Controls and Assurance in the Cloud.
What is the scope of a cloud computing audit?
The scope of a cloud computing audit will include the procedures specific to the subject of the audit. Additionally, it will include the IT general controls related to organization and administrative, communication, risk assessment, monitoring activities, logical and physical access, systems operations, and change management. An auditor is free to review and require evidence for any of controls identifies within these areas to gain the required assurance that controls are designed and operate effectively. It is also important to note that the controls that are maintained by a vendor are not included in the scope of a cloud computing audit.
What type of tests will auditors perform?
As mentioned before, auditors rely on different types of procedures such as inquiry, physical inspection, observation, confirmation, analytics procedures, and/or re-performance to collect evidence. These test procedures will be used in combination to obtain evidence to provide an opinion on the service being audited. Below are example tests performed for each of the IT general control areas identified above. Note that this is not an all-inclusive list.
|Organization and Administration|
|Logical and Physical Access|
Cloud computing audits have a become a standard as users are realizing that risks exist since their data is being hosted by other organizations. To combat that, they are requesting different forms of cloud computing audits to gain assurance and lower the risk of their information being lost or hacked.
For more information on cloud computing audits check out the following Linford & Co articles:
- How Long Does a SOC Examination Take?
- What is a SOC 2 Report? Expert Advice You Need to Know
- SOC 2 Reporting: New 2017 Trust Services Criteria (TSP Section 100)
- What is HITRUST Certification & What is Required for Compliance?
- FedRAMP Continuous Monitoring – What Are the Responsibilities of CSPs and 3PAOs?
- What is a SOC 1 Report? Expert Advice You Need to Know
Jaclyn Finney started her career as an auditor in 2009. She started with Linford & Co., LLP. in 2016 and is currently a manager with the firm. She is a CISA with a special focus on SOC, HITRUST, FedRAMP and royalty examinations. Jaclyn works with her clients to provide a process that meets the needs of each customer and generates a tailored report that is useful to the client and the users of the report.