Cloud computing, of course, is not a recent development. Organizations have been increasingly putting more and more of their sensitive data in the “cloud” for the last several years. More recently, though, many organizations are relying on it almost exclusively for their computing needs, entrusting the cloud not only with sensitive data, but with core processes and transactions. While we’ve come a long way from the security concerns that used to envelope cloud computing like a thick fog, there are still several aspects of cloud reliability and security that internal audit and IT auditors should be on top of. Here we’ll discuss what internal audit needs to know about cloud computing.
Cloud computing delivers services over the internet, offering faster innovation, flexible resources, and economies of scale. Organizations benefit from scalability, flexibility, and lower capital investment. The COVID pandemic, which forced many employees to work from home, hastened a move to cloud computing for many organizations, since employees could access applications and data from anywhere they could log onto the Internet.
It includes public, private, and hybrid types, with services such as software as a service, platform as a service, and infrastructure as a service :
- Infrastructure as a Service (IAAS) is a cloud computing service offering on-demand essential computing, storage, and networking resources on a pay-as-you-go basis.
- A platform as a service (Paas) is a ready-to-use, cloud-hosted platform for developing, running, maintaining, and managing applications.
- Software as a service (Saas) is on-demand access to ready-to-use, cloud-hosted application software. Office tools (such as Microsoft Office 365) are common examples.
The public cloud involves sharing infrastructure with multiple organizations that are accessible by the internet. However, it involves less control over security and configuration as compared to a private cloud. Example: Amazon Web Services (AWS), and Google Cloud Platform.
In a private cloud, a service provider does not share the hired resources with the public and only supports connectivity over the virtual private network. It involves dedicated infrastructure for a single organization and has higher security and control. Examples are OpenStack and Oracle Cloud Infrastructure.
The internal auditors must assess related risks, as 99 percent of cloud security failures are predicted to be due to customer error. Organizations need to manage the transition carefully to avoid potential pitfalls. Internal audit teams should gauge the organization’s cloud risks and data governance models, understand the risk tolerance, and develop a good understanding of governance, risk management, and control processes in the cloud environment.
A Cloud Check-List for Internal Auditors
Inventory of all cloud solutions utilized: Identify the data and type of cloud technologies used throughout the organization. This will help internal auditors understand the extent of cloud utilization and assess the overall risks to the organization.
Shared responsibility model: Responsibilities are divided between the cloud service provider and the customer based on the cloud and service type. The level of risk and responsibility increases as organizations use different cloud services. The internal audit team should analyze key stakeholders and their roles and ensure a documented responsibility matrix is signed with the cloud service provider.
Cloud strategy and governance are crucial for internal auditors to verify and align with the overall business strategy. The Cloud Reference Model outlines best practices for cloud computing, with NIST SP 500-292 defining five main actors. Focusing on a single cloud provider may lead to vendor lock-in, while multi-cloud and hybrid cloud strategies can help mitigate this issue, but will open other risks related to how the services will interact across suppliers.
Change management: The internal audit team should confirm that organizations have complied with change management policies and strategies that help move a company’s digital assets from on-site to cloud-based computing systems. This can help the organization to minimize risks, ensuring alignment with business objectives.
Manage the Risk of Shadow IT
The internal audit team should confirm if the organization uses appropriate tools periodically to track the cloud services that are currently in use with the organization to prevent unauthorized service usage.
Manual versus automation initiatives: Organizations executing processes manually in the cloud environment, such as installation and configuration of virtual servers, networks, or storage capacities, may be prone to errors and require more time in comparison to automated or semi-automated tasks. The internal audit team should consider examining the usage of automation within its cloud environment.
Monitoring costs: Internal auditors should confirm if the organization has deployed cost management tools for tracking cloud usage costs, such as cloud usage reports and cloud management platforms.
Further, the internal audit should confirm that the organization has inventoried resources in the cloud using the tagging process. The tagging helps users to assign custom metadata to their cloud resources. The users can create tags that represent business categories like cost centers, application names or owners. Furthermore, the tags can help find and manage resources and to report on cost usage.
How often should cloud projects be evaluated: It is critical to evaluate cloud projects regularly. Internal audit functions should cover some aspects of cloud computing based on the risk level every year. Organizations often focus on due diligence when onboarding a cloud services provider, but it is important to monitor the evolution of cloud services over time.
How should the new cloud services be screened? An internal audit can assess cloud computing before the transition to inform stakeholders about policies, procedures, and key controls for addressing cloud computing risks. The internal audit team can then decide on the frequency and type of engagement based on the complexity, maturity, and type of cloud services.
When screening new cloud services, the internal audit team should test key controls related to deployment, ensure the decision aligns with information security standards, evaluate terms and conditions, and review third-party trust reports such as SOC 2. Benchmarking industry standards and confirming key agreements with cloud service providers should also be considered.
Evaluate cloud misconfiguration: Internal auditors should evaluate misconfiguration issues through scans using cloud security posture management tools. For example, an organization could accidentally make a cloud-based repository publicly accessible when it was intended to be kept private.
Security Controls in the Cloud
The audit team should confirm that the organization has established an intended security baseline for the cloud environment. This baseline should include incident response plans, assigned responsibilities for cloud security, and deployment of network cybersecurity controls such as application security, network segmentation, access control, email security, firewalls, intrusion prevention systems, incident response planning, multifactor authentication (MFA), and endpoint detection and response (EDR).
The audit team should confirm that organizations have strong identity and access management practices in place, including multifactor authentication, role-based access control, and ongoing review of identity rules and policies.
According to Gartner, API protection and security is a key factor in selecting cloud web applications and API (application programming interface) protection solutions. It’s important to choose solutions that leverage AI/ML (artificial intelligence/machine learning) and large language models to reduce alert fatigue and identify advanced threats.
Organizations should implement appropriate controls to ensure that cloud data is encrypted at rest and in transit, with a preference for asymmetric encryption methods like elliptic-curve cryptography and digital signatures.
The audit team should confirm the organizational controls to detect and prevent suspicious activity in cloud applications and maintain the data’s security and integrity. Monitoring user activities and transactions is vital to detect anomalies that could indicate a security breach. In cloud environments, log data can help organizations gain real-time insights into their cloud environments, identify anomalies, and respond swiftly to potential incidents.
There are various monitoring tools offered by cloud service providers that can log and audit activities, from data access to configuration changes. For example, Organizations can use CloudTrail and CloudWatch to audit AWS environments.
The audit team should evaluate if the organizations have considered enhancing their cybersecurity efforts with Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA). According to Blackberry.com, UEBA solutions complement SIEM for organizations looking to gain insights into how users interact with sensitive corporate data and enable faster incident detection and response. Network policies can be used to whitelist or blacklist traffic between components of your cluster based on criteria decided by the organization that could include pod labels, IP addresses, or namespaces.
The audit team should evaluate that appropriate controls are in place for the production environment when using DevOps (development operations) for application management in cloud infrastructure or other enterprise-class applications. Organizations should also consider patching and securing their operating systems, applications, and workloads running on shared cloud solutions.
Geographic (Geo) Redundancy: It involves storing data in multiple geographically diverse locations to ensure availability and durability. This is critical for business continuity planning and disaster recovery. It mitigates the risk of data loss and downtime due to localized events.
Geo redundancy involves data being copied and stored in multiple locations and in any eventuality of a system failure the operations are automatically transferred to a secondary system in a different location. The cloud service providers provide dedicated cloud services for long term retention, off-site replication and disaster recovery as a service (DRaaS).
The internal audit team should conduct periodic tests to ensure redundant systems function as intended by testing the site resilience strategy at least once a year.
Right-Skilled Internal Audit Teams
Internal audit teams should be skilled in auditing cloud computing engagements, aware of different deployment models and service types, and knowledgeable in relevant frameworks and standards such as SOC2, ISO, NIST CSF, PCI-DSS, and cloud security best practices. The Certificate of Cloud Auditing Knowledge (CCAK) certification could be useful for internal auditors working in the cloud environment.
Compliance with industry regulations and standards and corporate policies: Organizations in regulated industries such as healthcare, banking, and government must comply with industry-specific regulations like GDPR, HIPAA, and PCI-DSS. Internal audits should verify compliance with these regulations and confirm the implementation of appropriate policies for cloud solutions. Data residency requirements for cloud computing must be met to avoid fines, legal action, and data loss. Security policies should evolve to address new threats and changes in cloud computing.
Cloud computing is a key resource for most organizations, and while it brings a degree of risk, the internal audit team can limit their exposure. Cloud computing is moving rapidly, and it is essential for internal auditors to stay updated with the relevant standards and frameworks that guide the cloud audit process. 
Nirpendra “Nick” Ajmera B.COMM, CA, CIA, CISA, CFE is an internal audit influencer with more than twenty years of experience in internal audit and risk arena. He currently leads internal audit for Qulliq Energy Corporation in Nunavut.
Abhishek Gangwal is a CPA, CISA and CFE. After having completed his Cloud Audit Certificate from ISACA, he has worked on cloud engagements as a trusted consultant for several years.
Mark McEvoy CPA, CIA, CRMA, MBA is an experienced internal audit, external audit, internal controls and board member with more that twenty years of experience.