Cloud Computing Audits – What You Need to Know

What you need to know about cloud computing

As the popularity of cloud computing has increased over the last decade, so has the maturity of standards used govern these resources. This article will provide a definition of cloud computing and cloud computing audit, the objectives of cloud computing, the scope of a cloud computing audit, and audit steps to expect.

Cloud Computing Definitions

Cloud Computing:

The definition of cloud computing is best defined by the National Institute of Standard and Technology (NIST). NIST is portion of the U.S. Department of Commerce with the mission of encouraging innovation through science, technology, and standards, including cloud computing. According to NIST, “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.”

This definition was created to set a baseline for the discussion around cloud computing. As defined in the definition, cloud computing includes five essential characteristics (on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service), three service models (software-as-a-service, platform-as-a-service, and infrastructure-as-a-service) and finally four deployment models (private cloud, community cloud, public cloud, and hybrid cloud). The different characteristics, service models, and deployment models can be shaped and morphed into different resources depending on the needs of the organization. For a more detailed breakdown of the different cloud characteristics, service models, and deployment models, check out my blog Climbing to the Top: Understanding Major Cloud Service Providers.

Cloud Computing Audit:

In general, an audit is when a third party, independent group is engaged to obtain evidence through inquiry, physical inspection, observation, confirmation, analytics procedures, and/or re-performance.

In a cloud computing audit, a variation of these steps are completed in order to form an opinion over the design and operational effectiveness of controls identified in the following areas:

  • Communication
  • Security incidents
  • Network security
  • System development or change management
  • Risk management
  • Data management
  • Vulnerability and remediation management
  • Tone at the top or leaderships commitment to transparency and ethical behavior

Cloud computing audit objectives

What are cloud computing audit objectives?

During the planning and execution stages of an audit, it’s important to have a clear understanding of what the objectives of the audit include. Companies should strive to align their business objectives with the objectives of the audit. This will ensure that time and resources spent will help achieve a strong internal control environment and lower the risk of a qualified opinion.

Auditors use objectives as a way of concluding on the evidence they obtain. Below is a sample list of cloud computing objectives that can be used by auditor and businesses alike.

  • Define a Strategic IT Plan: The use of IT resources should align with company business strategies. When defining this objective, some key considerations should include whether IT investments are supported by a strong business case and what education will be required during the rollout of new IT investments.
  • Define the Information Architecture: The information architecture includes the network, systems, and security requirements needed to safeguard the integrity and security of information. Whether the information is at rest, in-transit or being processed.
  • Define the IT Processes, Organization, and Relationships: Creating processes that are documented, standardized, and repeatable creates for a more stable IT environment. Businesses should focus on creating policies and procedures that include organization structure, roles and responsibilities, system ownership, risk management, information security, segregation of duties, change management, incident management, and disaster recovery.
  • Communicate Management Aims and Direction: Management should make sure its policies, mission, and objectives are communicated across the organization.
  • Assess and Manage IT Risks: Management should document those risks that could affect the objectives of the company. These could include security vulnerabilities, laws and regulations, access to customer or other sensitive information, etc.
  • Identify Vendor Management Security Controls: As companies are relying on other vendors such as AWS to host their infrastructure or ADP for payroll processing, companies need to identify those risks that could affect the reliability, accuracy, and safety of sensitive information.

The list above is just a small sample of objectives that should be considered. The Information Systems Audit and Control Association, now known as ISACA is an independent, nonprofit which “engages in the development, adoption and use of globally accepted, industry-leading knowledge and practices for information systems.” For a more comprehensive list of objectives, reference ISACA’s IT Control Objectives for Cloud Computing: Controls and Assurance in the Cloud.

What is the scope of a cloud computing audit?

The scope of a cloud computing audit will include the procedures specific to the subject of the audit. Additionally, it will include the IT general controls related to organization and administrative, communication, risk assessment, monitoring activities, logical and physical access, systems operations, and change management. An auditor is free to review and require evidence for any of controls identifies within these areas to gain the required assurance that controls are designed and operate effectively. It is also important to note that the controls that are maintained by a vendor are not included in the scope of a cloud computing audit.

Auditor testing

What type of tests will auditors perform?

As mentioned before, auditors rely on different types of procedures such as inquiry, physical inspection, observation, confirmation, analytics procedures, and/or re-performance to collect evidence. These test procedures will be used in combination to obtain evidence to provide an opinion on the service being audited. Below are example tests performed for each of the IT general control areas identified above. Note that this is not an all-inclusive list.

Control Area Procedures
Organization and Administration
  • Inspect the company’s organizational structure
  • Inspect job positions with employee roles and responsibilities
  • Observe interviews to determine whether company’s test technical competencies
  • Inspect evidence of completed background checks.
Communication
  • Inspect policies and procedures
  • Inspect evidence that policies and procedures are available to all employees for reference
  • Inspect company Terms of Use or Privacy documentation to determine whether or not they identify responsibilities and commitments
  • Inquire of management about their commitment to ethical values.
Risk Assessment
  • Inspect the company’s documented risk assessment
  • Inspect the risk assessment to determine whether mitigation activities are identified, as required
Monitoring Activities
  • Inspect documentation which identifies system vulnerabilities
  • Inspect system configurations to determine whether notifications are provided when vulnerabilities or failures are identified
  • Inspect evidence that identified vulnerabilities are remediated
Logical and Physical Access
  • Observe that the office requires a badge to enter
  • Inspect evidence that individuals with administrator level access are authorized
  • Inspect the password policy used to enter the network
Systems Operations
  • Inspect monitoring tools used to monitor traffic and alert on suspicious activity
  • Inspect evidence that the tools successfully send alerts, as required
  • Inspect evidence that notifications are followed-up on and remediated as necessary
Change Management
  • Inspect evidence to confirm that changes are defined and documented, approved for development, tested, and approved for implementation

Summary

Cloud computing audits have a become a standard as users are realizing that risks exist since their data is being hosted by other organizations. To combat that, they are requesting different forms of cloud computing audits to gain assurance and lower the risk of their information being lost or hacked.

Cloud computing audits come in different forms such as SOC 1 & SOC 2 reporting, HITRUST, PCI, and FedRAMP. Depending on your needs, one of these should fulfil your audit requirements.

For more information on cloud computing audits check out the following Linford & Co articles:

Leave a Reply

Your email address will not be published. Required fields are marked *