820 likes | 1.47k Views
Cloud Computing Security and Governance. What Auditors Need to Know?. AICPA Upcoming Webcasts. May 25, 2011 (Wednesday) 2:00 – 3:30 EST CITP Career Path Jim Boomer, Jim Bourke, Ron Box, Chandni Sarawagi 2011 Top Technology Initiatives Webcast Series Coming Soon!
E N D
Cloud Computing Security and Governance What Auditors Need to Know?
AICPA Upcoming Webcasts • May 25, 2011 (Wednesday) 2:00 – 3:30 EST • CITP Career Path • Jim Boomer, Jim Bourke, Ron Box, Chandni Sarawagi • 2011 Top Technology Initiatives Webcast Series • Coming Soon! www.aicpa.org/itinfocasts
Introductions • Sarah Adams • Sarah is a Director at Deloitte & Touche LLP with more than 20 years of audit, risk, and controls experience in both • operations and technology with extensive experience in risk assessments, quality assurance reviews and strategic • assurance reviews. She has a strong background in IT and serves as the National Leader of Deloitte’s IT Internal Audit • practice. She supports the Internal Audit function of multiple large, global retail, publishing, and technology companies. • Rob Zanella • Rob Zanella is Vice President of IT Compliance & Security for CA and is responsible for all compliance and security • activities within Information Technology. Rob joined CA in 2005 as Director of Internal Audit to develop the company’s • first IT Audit practice. Rob has over 25 years of IT experience in operations, software development, project management, • auditing, compliance and security
Agenda • Introductions • What is Cloud computing • Key attributes • Key drivers • Cloud – Risk Intelligence Map • Role of Internal Audit • Q & A
Poll Question # 1 • What kind of entity do you work for? • Consulting Firm • Accounting Firm • Business and Industry • Government • Nonprofit
Cloud computing Cloud computing represents a major shift in information technology architecture, sourcing, and services delivery Cloud computing has emerged based on the convergence of Internet technologies, virtualization, and IT standardization. Network-based applications and data services, decoupled from enterprise data centers, has evolved into a growing "cloud" of software services and methods of computing. Industry analysts have defined capabilities and services offered by Cloud computing to include three major qualities: • Abstracted hardware resources • Consumed as variable expense • Increased elastic capacity and capability 7
Cloud computing architectures Cloud computing technology is deployed in three general types, based on the level of internal or external ownership and technical architectures
Poll Question # 2 • How would you describe your level of understanding of the cloud? • None - want to understand Cloud • Toe in the water • All in • I had nothing else to do today
Cloud computing services – X as a Service Different types of Cloud computing services are grouped into specific categories: Infrastructure, Platform and Software services
Sample services within the 3 categories of Cloud computing There is an evolving “ecosystem” of services providers Software-as-a-Service: • Customer Relationship Management • salesforce.com • myERP.com • Oracle OnDemand • RightNow • Business Intelligence • SAS Suite of On-Demand Applications • Vitria M3O • Human Resources • Oracle Peoplesoft • NetSuiteePayroll • Workday • Productivity and Collaboration • Gmail, Google Apps • Zoho.com Infrastructure-as-a-Service: • Amazon Web Services • Provide on-demand Cloud computing services using variable cost model • Amazon Virtual Private Cloud • Provide fully private Cloud services model using the Amazon cloud infrastructure • Mozy.com • Provides backup services over the Internet Platform-as-a-Service: • Google Applications Engine • Allows Web applications to be deployed on Google’s architecture • Microsoft Windows Azure • Cloud computing architecture that is offered to host .NET applications 11
Poll Question # 3 • What is the general status of your Cloud computing environment? • No Cloud at this time • Cloud computing is in design/concept at this time • Cloud is being developed/ pilot phase • Cloud computing environment is established • We use/have multiple cloud environments • Don’t know/unsure
Cloud computing - drivers Cloud computing is being driven by many urgent IT priorities: • Reduce amounts of IT capital equipment spending • Lower implementation costs compared to on-premise solutions • Less hardware to purchase and support; few assets on the balance sheet • Fewer IT resources required in-house • Costs are treated as operating expense, not capital expenses • Gain flexibility and speed in implementations • Allows greater flexibility and shorter time to implementation • Shift IT from supporting the infrastructure to innovating • Software maintenance and upgrades may be handled by Cloud providers • Greater ability to flexibly respond to the business as needs change • Leverage IT technology evolution • Rapidly changing technology standards and practices are driving enterprise to consider Cloud computing as a viable alternative 14
Top Cloud consideration & risks • Considerations around moving IT components into the Cloud: • What corporate security policies are in place? • What type of configuration management is used to protect against accidental changes that could negatively affect security? • How is data backed up? • How will availability objectives, recovery time objectives, and recovery point objectives be met? • How will disaster recovery testing occur and will clients have access to truthful results? • Who will have access to the data? • Where will the data be housed? • Will you have accessibility to the data for audits, etc.? • Consumer users – Privacy, data usage • Enterprise users – Encryption, data integrity • Service providers – Cross-border issues, regulations Security tops Cloud concerns How concerned are you with following issues as they relate to cloud computing? Security Control Performance Support Vendor lock-in Speed to activate new services/expand capacity Configurability Data: InformationWeek Analytics Cloud computing Survey of 453 business technology professionals A recent survey was conducted of 244 IT executives/CIOs about their companies’ use of, and views about, IT Cloud services. Biggest Cloud challenge reported was security. 15
Poll Question # 4 • What is the primary driver of your use/planned use of cloud? • Cost savings • Increased capacity/availability • Flexibility to increase/decrease usage easily • Minimal capital investment • We don’t use the Cloud/Don’t plan to use the Cloud
Poll Question # 5 • Which statement do you most agree with? • There are no new risks with Cloud computing; this is just a new version of what we've always dealt with • Although there are new risks with Cloud computing, we have reasonable mitigation strategies that can be implemented • There are significant new risks with Cloud computing
Role of Internal Audit (1/3) Internal Audit can play a role of strategic advisor and assist the business to understand and manage the risks associated with Cloud computing Risks Involved Implementation Phases Requirements ► Understanding the business case ► Incomplete requirements ► Poorly designed business case ► Requirements are not aligned within corporate policies and requirements ► Develop Requirements Specifications Vendor Selection ► Vendor evaluation and selection ► Update business case ► Incomplete selection criteria ► Lack of understanding vendor internal controls ► Excessive Costs Implementation ► Prioritization of migration ► Vendor contract ► Network Considerations ► Controls not considered ► Insecure design, no fault tolerant Pilot / Test ► Select area to pilot ► Migrate processes to test cloud ► Non existent/ineffective controls ► Inadequate testing ► Inadvertent exposure of data Migration ► Build infrastructure ► Migrate data and processes ► Inadvertent exposure of data ► Business processes don’t work as expected Validate and Monitor ► Decommission legacy systems ► Loss of financial records ► Loss due to inadequate monitoring ► SAS70, ISO reviews / Right to Audit
Role of Internal Audit (2/3) Sample support activities Identify control requirements (requirements, vendor selection, implementation phases) • Scope – identify controls to be implemented • Value – IA can help understand and manage the risks and therefore support their business case Vendor selection support (requirements, vendor selection phases) • Scope – support the evaluation of vendors and ensure balanced assessment • Value – manages the significant risk that the selected vendor will not be around tomorrow, internal technology won’t integrate, evidence of reliability Vendor management review (vendor selection, implementation, validate and monitor phases) • Scope – evaluate controls for managing vendor relationships (SLA’s/OLA’s), invoice review, escalation etc • Value – ensures that appropriate processes are in place to manage the significant new vendor relationship and maximize the value the company gets from it
Role of Internal Audit (3/3) Sample support activities Data migration assessment (implementation, pilot, migration phases) • Scope – assess planned data migration scope and method as well as future state data interface design • Value – helps the business and finance gain comfort around the plans for cut over from old new systems and for the completeness and accuracy of data transferred • PMO / Project management assessment (implementation, pilot, migration phases) • Scope – review project management / PMO capabilities • Value – ensures processes are in place that can support managing this complex and high risk project to the greatest benefit in the shortest time Controls review / assessment / test (all phases) • Scope – perform review of controls to be put in place, test controls and provide advice on improvement • Value – ensures IT and business have taken appropriate steps to mitigate implementation and business process risk that will arise as part of the implementation
Poll Question # 6 • Do we need to have data classification polices prior to moving on the Cloud? • Why worry, the Cloud provider will take care of my data • Yes, we should, but need to move to the Cloud asap to save costs • Yes, however, we need to implement data classification policies • Don’t care
Service Organization Controls (SOC) Reports Formerly – SAS70’s The AICPA has outlined 3 types of SOC reports designed to help service organizations meet User Entity objectives: • SOC 1 Report • Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (ISAE 3402/SSAE 16) • SOC 2 Report • Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy (AT101 – Attest Engagements) • SOC 3 Report • Trust Services Report for Service Organizations (SysTrust/WebTrust)
AICPA Products Related to Service Organization Controls • The AICPA recently developed resources for CPAs, service organizations and • user entities who need to build trust and confidence in outsourced services. The • sources include: • Online source center: www.aicpa.org/SOC • www.aicpa.org/infotech • Online brochure to provide an introduction to the concept of Service Organization Control (SOC) reports. • AICPA Alert: Service Organizations: New Reporting Options—2010/11 (NEW - IT Section members receive 10% off the purchase starting 01/11/11!) • SSAE 16 Publication: http://www.cpa2biz.com/AST/Main/CPA2BIZ_Primary/AuditAttest/Standards/SSAEs/PRDOVR~PC-023035/PC-023035.jsp • Two Service Organization Control (SOC) guides are under development
Q&A More info is available at: aicpa.org/soc or aicpa.org/infotech
More information is available at: aicpa.org/soc or aicpa.org/infotechAlso, for an overview of how guidance and reports have been developed in response to the explosive growth in cloud computing and outsourcing, watch the below video with AICPA President & CEO Barry Melancon, CPA. http://www.aicpa.org/NEWS/AICPATV/ACCOUNTINGAUDITING/Pages/ServiceOrganizationControlReports.aspx
Poll Question # 7 • If you had to determine what to accept from a Cloud provider, what would you require? • A SAS70 or SYSTRUST independent attestation • An attestation against a new Standard - which should be developed • A review of the Provider’s controls by the User’s Internal Audit function • A self-assessment provided by the Provider • Don’t know
Questions, References and Contact Info Rob Zanella VP, IT Service Management Robert.Zanella@ca.com
IT Community Benefits at a Glance • IT Section Members Receive: • Discounts on Educational programs, such as AICPA Tech + Conference, National Advanced Accounting and Auditing Technical Symposium (NAAATS), Controller’s Conference and IT Audit School Program. • Discounts on valuable software and tools, including IDEA products. • Free monthly web seminars on topics critical to CPAs (plus an opportunity for CPE discounts!) • Valuable technology content, including discussion papers, studies, and practice aids. • Communications, including electronic newsletter, podcasts, featured articles, profiles, and news about the profession and the IT Community. • Networking groups and IT Community events at Tech + Conference
IT Community Benefits at a Glance • CITP Credential holders automatically receive IT Section • Membership, plus: • Differentiation from CPAs and other technology and financial management professionals. • Customizable marketing materials, including targeted brochures that highlight your ability to leverage technology for real business results. • CITP Networking Groups • Additional discounts, including $125 discount on conference registration to Tech +, National Advanced Accounting and Auditing Technical Symposium (NAAATS) and Controller’s conferences. • To find out more about the IT Section membership or the Certified • Information Technology Professional (CITP) Credentials, please go to • www.aicpa.org/infotechfor more details.