In today’s world, internal audit is in a state of rapid transformation, mainly due to cloud technologies. Information Technology is rapidly modernising our data centres from virtualisation to software defined data centres with a view of developing increasingly private clouds. Certainly, these too are interlinked to the public clouds. The end result is that the boundary of the audit’s control environment is increasingly virtual and hyper-extended.
But to understand this environment, we first need to appreciate the benefits of cloud technologies. One of the key advantages is that it recduces IT costs. Rather than purchasing expensive systems and equipment, organisations can minimise expenditure by using the resources of its cloud computing service provider.
Secondly, cloud computing offers scalability. This means businesses can scale up their operation and storage needs quickly to suit their situation, allowing flexibility as their needs change. This means instead of the organisation itself having to purchase and install expensive upgrades, the cloud computer services handles this. This means the organisation has both time and money free for other activities.
Efficiency is the other advantage cloud computing offers. This is more especially with collaboration in a cloud environment as companies are able to communicate and share more easily outside traditional methods.
Projects can be run across different locations with employees, contractors and third parties having access to the same files. Companies can also choose a cloud computing model that makes it easy to share its records with its advisers. For example this is a quick and secure way to share accounting records with its accountant or financial adviser.
Cloud computing can also offer a greater level of business continuity. Organisations know that protecting data and systems is an important part of business continuity planning. Whether they experience a natural disaster, power failure or other crisis, having data stored in the cloud ensures it is backed up and protected in a secure and safe location. Being able to access data again quickly enables organisations to conduct business as usual, minimising any downtime and loss of productivity. The rise of cloud adoption has been remarkable over the past few years and we can see little indication of it decelerating. What was initially a niche solution for start-ups can now be found in information technology (IT) blue prints and business strategies all over the corporate world. In simple terms, the corporate cloud now represents a shift from the status quo.
However, with delicate company data transiting through third-party cloud providers and into the cloud, concerns over security and risk have become central: Who chooses what information should be open in the cloud? Who defends the organisation’s data in the cloud and manages the related risks? Who is accountable for monitoring changes in the risk profile of a company’s cloud position?
Cloud computing is altering the means in which IT is procured, run, managed, and sustained.
Cloud services are also forming new tasks for dealer management and IT operations, giving internal audit departments an important role to play and making cloud-related risks a priority.
Similarly, organisations are seeing the cloud movement through the lens of traditional risk management, with concerns around confidentiality, dependability, and resilience: who might be watching or listening to the enormous flow of data both into and out of the cloud? What types of information are safe to hand over to a cloud provider, and what are the risks that delicate data might get lost or compromised once data goes off premise?
What controls have been set up so that companies can be sure legal, regulatory, and compliance requirements are being met and the company brand is being protected?
These risks must all be managed, which means that solutions have to be found to these challenges. There is no one-size-fits-all answer, it will have to be addressed by each company on a case by case basis.
As companies thus transform, internal audit will be pivotal in guiding an organisation through change because leading functions will be able to offer management with an autonomous point of view of the organisations governance and controls structure. To be effective, many internal audit roles will have to widen their skills sets to include those new digital keystone skills, which are being adapted by IT departments globally. But, most importantly, organisations needs to find a balance between risk and rewards for improved cloud auditing.