Cloud computing governance

Audit leaders have a role to ensure their audit committee maintains pace with important issues and key developments. Cloud computing has been around a while but do our boards understand the risks and assurance needed?

Cloud computing is an area where internal audit can offer a blend of consultancy and assurance services. The trusted advisor position enables audit leaders to engage and educate board members at the same time as constructing an assurance programme that protects and informs.

Statistics published by Eurostat in 2018 suggest over 41.9% of UK business uses some form of cloud service, against an EU average of 26.2% with usage more common in large organisations.

Audit committee guidance published by the National Audit Office suggests questions to consider asking at all stages: assessment, implementation and management. Auditors can also use these as part of audit engagement planning.

We draw on the NAO insights and consider actions for audit leaders.

Competent governance

The word ‘cloud’ creates a sense of mystery yet it refers quite simply to a centralised data centre operated remotely by a third party and accessed via the internet. Cloud computing undoubtedly sounds slicker than outsourced hardware, software and storage but adds to its ambiguity.

Although cloud computing is now commonplace in many organisations, can the same be said for the governance surrounding it? Has it kept pace?

Bruce Schneier, security expert, said “the internet is no longer a web that we connect to. Instead, it’s a computerised, networked, and interconnected world that we live in.” Organisations that engage in cloud computing epitomise this; it is a dependent relationship.

Governance leaders need sufficient knowledge to appreciate the opportunities/threats that cloud technology delivers and most importantly the required oversight. The IT function is no longer the gatekeeper for all technology.

How well informed is your…