The growing use and increased complexity of cloud

computing is creating new challenges for internal auditors.

Arthur PiperJuly 31, 20190 Comments

Although Jean-Michel Garcia-Alvarez was used to working as a high-level internal auditor in the financial services
sector, 2015 presented him several novel challenges. First, he was appointed head of internal audit — and later also
data protection officer — at a new, fintech challenger bank in London called OakNorth. It had received regulatory
approval from both the Prudential Regulatory Authority and the Financial Conduct Authority in August 2015 — one of
only three U.K. banks to do so in the past 150 years. Second, OakNorth wanted to be the first U.K. bank with a cloud-
only IT infrastructure, which was not an area he specialized in during his previous audit roles at Nationwide Building
Society, RBS, or Barclays.
Garcia-Alvarez realized that traditional audit skills would be of limited use because of the cloud’s newness and
evolving nature, with little precedent in the scope and range of how to approach it as an internal auditor. So, he
decided to obtain an IT audit certificate from the U.K.’s Chartered Institute of Internal Auditors (CIIA). It boosted his IT
audit skills and forced him to get to grips with how to approach cloud auditing and security. It also made him a
credible security player in the business.
At the same time, he says internal auditors must adhere to the fundamental remit of audit, which, for OakNorth, is the
CIIA’s Financial Services Code. One of the first sentences of that document says internal audit’s primary role is to
help senior management protect the assets of the business — in this case from hacking, data breach, and leakage.
“That is absolutely the role of internal audit in cloud security,” Garcia-Alvarez says. When businesses are migrating to
and operating in the cloud, internal audit needs to provide assurance that the cloud infrastructure is safe, secure, and
able to meet the firm’s objectives — not just now, but in the future. “The way to do that is to be embedded as the third
line of defense and to provide real-time feedback on risk and controls, and to assure the board that you are mitigating
risk with data — not creating new ones.”
While cybersecurity has long been on auditors’ lists of regular assignments, securing today’s cloud poses fresh
challenges. The very structure, speed, and opacity of the cloud demands a focus away from traditional auditing.
Having systems in place to deal with data breaches, data loss, and ransomware attacks is mostly standard today, but
dealing with the security issues arising from the unique infrastructure of the cloud, the lack of visibility of fourth- and
fifth-level suppliers, and the need to work in tandem with both the cloud provider’s own security teams and a wider
range of stakeholders across the business are growing challenges for internal auditors dealing with cloud security.

Changing Purpose
OakNorth’s journey is a good example of how the speed of change impacts internal audit’s security concerns. Like
many businesses, OakNorth’s cloud provider in 2016 was Amazon Web Services (AWS). As a large global player,
Garcia-Alvarez was happy that AWS could be responsible for the security of the cloud, while OakNorth was
responsible for security in the cloud. That theoretically makes it easier for internal audit because the function can
regularly check and rely on the up-to-date certifications maintained by the cloud provider. Audit can then focus almost
entirely on the internal security control environment. In reality, though, for cloud security to be robust auditors also
need to keep up with changing laws, rules, and regulator expectations.
“Those can change very quickly,” he says. In 2016 when OakNorth migrated to the cloud, the U.K. financial regulator
was happy with the decision and with the company’s cloud provider — because it was big, safe, and secure. But
when other banks followed suit by 2017, the regulator decided it was a potential concentration risk. If AWS went
down, it would take a huge slice of the U.K. financial services sector with it. As a result, OakNorth moved to a multi-
cloud solution for all of its client-facing technology.
From the outset, OakNorth used cloud data centers, provided by AWS, in several locations in Ireland, with an
additional fail-safe elsewhere in Europe. “That one is like a bouncy castle,” Garcia-Alvarez says. “The shell is there,
but the engine is off. Turn on the engine and it will be fully blown up and working in a matter of hours.” Just to be
sure, the IT team rebuilds the core banking platform from scratch at a new location in Europe once a year, with
internal audit providing independent assurance over the exercises. “It is time-consuming and expensive, but at least
we know that the bank is safe.”

Getting in Early
Cloud downtime is not a fantasy risk. In February 2017, for instance, AWS services on the U.S. East Coast
experienced failure. While reports on technology news site The Register suggested the servers were down only about
half an hour, some customers reportedly could not get their data back because of hardware failure. Another outage in
March 2018 affected companies such as GitHub, MongoDB, NewVoiceMedia, Slack, and Zillow, according to CNBC.
James Bone, a lecturer at Columbia University and president of Global Compliance Associates in Lincoln, R.I., says
that is just one of many reasons internal auditors should be involved early in any cloud deployment. “I don’t believe
that internal auditors should be deciding which products to use, but I do think they should be very much involved in
the selection process,” he says. “They need to understand the service model, what is being deployed, and how they
are planning to use the services. The platform that they use will determine, to a large part, the risk exposure to the
firm.”
That is because the choice of platform governs what data will be transitioned, if any will stay on the premises, access
administration, business continuity plans, data breach response, ransomware strategy and response, the frameworks
the service provider uses for cloud security, the frequency of monitoring, contractual agreements, and many other
factors. Auditors need to be on top of the situation to raise red flags before security risks crystallize. Bone says, for
instance, that he has heard stories of service providers failing during a transition to the cloud, without a backup in
place from which to restore the client’s data. In this example, organizations need to know what the recovery plan is
and, crucially, who is responsible for it.    

Sharing Responsibility
“These are shared security and operational relationships between the cloud provider and the business,” Bone says.
“So it is about clearly separating the different lines of accountability and responsibility at an early stage.” That
includes sharing operational performance metrics and having clear escalation processes for data breaches, outages,
and other security issues where the responsibilities are set out clearly between the cloud provider and the business.
The internal audit team must have a realistic understanding of its own and the business’s capabilities if those
measures are to be effective. “If the firm and the audit team are not particularly agile, can they use the vendor to take
up some of that role?” he asks.
The opaque nature of what goes on in the cloud service provider’s business is a particular worry for internal auditors.
“The biggest problem in these virtual environments is that the distance between control and assurance gets wider,”
he says. Bone has been researching this idea for about four years. In digital environments, he says, risk and audit
professionals have been used to testing applications because in most cases the physical hardware and data are
available to see, touch, and analyze.
“As we move to a boundaryless environment, we are creating a distance between our ability to recognize a problem
and having to rely on others to tell us there is a problem,” he says. “That distance impacts response time, and our
ability to develop and put in place even more robust controls, because we are further away from the problem. This is
an underappreciated risk and is getting larger because firms that are providing these services are getting better at
managing their own risk, while as businesses go further into the cloud and have multiple cloud providers, they are
becoming more removed from core processes.”

Potential Headaches
For Fred Brown, head of the critical asset management protection program at HP in Houston and former head of IT
audit at the firm, dealing with cloud security while working with such shared services can create “rather large
challenges.”
“The more you open your environment, the more you have to stay on top of security,” he says. Over the last couple of
years, HP has been working toward being a top quartile security organization, he explains. And Brown’s cyber team
has grown 70% during that time. The business has been aggressively moving to cloud services — including
infrastructure as a service, platform as a service, and software as a service. Implementing a 100% review of all
suppliers that would include all cloud instances throughout the business means doing a detailed security check of
more than 2,000 suppliers across the enterprise.
To speed up the process, HP has contracted with a third-party assessment exchange, Cyber GRX, which describes
itself as supplying “risk-assessment-as-a-service.” Any subscriber can have a supplier risk assessed — once the
results are in, users can view them via an exchange. The process is integrated into HP’s inherent risk-scoring
program, so that all vendors except those with the highest inherent risk score are assessed by Cyber GRX. The
vendors with the highest inherent risk are risk assessed by internal resources. This process represents a new
initiative at HP, and so far it has produced useful reports and helped the company tackle a backlog of risk
assessments.
“This is removing an entire blind spot when it comes to risk,” Brown says. “Even if you have 100 suppliers who you
haven’t assessed, with many connected to your company’s critical assets, whether it is employee data, or something
else — if you haven’t assessed them, you have no idea what their risk profile really looks like.”
Brown says one problem is that whether a cloud-based supplier is AWS or a small online education provider, if it is
managing critical data, the threat to the business is the same. With many cloud providers now outsourcing parts of
their own operations, HP is putting in extra effort on fourth- and fifth-party risk management. That is why having
someone track the cloud supplier landscape is critical to managing security risk, he says, enabling the organization to
identify what is going on and maintain control over the process. This challenge is amplified in a company such as HP
that was already complex when it began outsourcing to cloud service providers.

Working Across the Business

New suppliers need to have up-to-date and formal self-attestation certificates that follow recognized standards, such
as Service Organization Controls 2 reports and adhering to the International Organization for Standardization’s ISO
27001. To make sure a business division or manager does not randomly contract with a new cloud provider, Brown’s
team has what he calls a “cast-iron interlock” with procurement. Procurement knows what HP’s cloud security
requirements are, and they must be included in any new contractual arrangements. In fact, Brown describes the
contracts as “living,” because they point to the security requirements, which HP can update without changing the
actual contract itself.
Working with AWS, HP has created a way of centralizing group security policies through the IT infrastructure. The
main cloud instance has all of the group policies established — any new instance sits beneath this “parent” and
effectively inherits its security policies automatically. “Every time you make a change to the group policy, it cascades
to all the instances that are underneath that,” Brown explains. Non-AWS cloud instances go through the new
procurement system as described earlier.
As cloud computing becomes synonymous with organizations’ IT infrastructures, internal auditors need to work more
collaboratively and strategically, according to Scott Shinners, partner of Risk Advisory Services at RSM in Chicago.
That will mean audit working increasingly not just with IT and IT security, but with procurement, legal, risk
management, and the board.
“The audit committee has to see cloud security in the audit plan, and it also has to be present in the nature of the
additional conversations you’re having with management,” he says. “It should come up not just after implementation,
but before in strategy setting and so on.” Moreover, if internal audit discovers cloud instances in parts of the business
that are not meant to have them, it can feed back to IT and risk management.
Internal audit also needs to work closely with the audit committee as cloud migration, almost inevitably, leads to
abandoning a large percentage of the audit plan. “That is where the really good engagement with the audit committee
comes through,” Shinners says. “How willing is the audit committee to support a trade-off to reduce assurance on
moderate risk areas in order to have internal audit spend more of its resources on some of the cutting-edge stuff that
is emerging?”
Performing third-party, independent assessments of cloud security and thinking about the underlying controls on data
security, access management, breach response plans, and so on, is just the minimum internal audit can do, he says,
because that only provides a snapshot in time in a fast-moving area. “The No. 1 way that internal audit can be
successful is working with the second line of defense to build a culture around data protection that is pervasive
enough to be successful in an environment that is so fast moving,” he says. “Making sure risk management gets
feedback to know the culture is working is right up internal auditors’ alley.”

Skills and Expertise

CAEs may also need to reach outside of their organizations to secure audit staff with the right level of skills and
qualifications, says Ruth Doreen Mutebe, head of Internal Audit at Umeme, Uganda’s largest electricity distributor.
She recommends building partnerships with technology and information security institutes, such as ISACA, and
universities to help identify good candidates.
“Cloud auditing involves rare skill that takes time to build,” she says, especially because it requires people with a
good grasp of technical issues who can also communicate those concepts at a basic level to management. In
addition to attracting and training staff, a CAE has to be able to retain them after that initial investment has been
made.
Mutebe’s approach is to recruit a competent IT security auditor — even if a premium price has to be paid — who can
effectively audit and guide management on aspects of cloud security. In addition, she encourages her technical staff
members to pass on their knowledge to the entire audit team.
“That could include embedding cloud security procedures into what would have been non-IT audits to build capacity
and where resources allow, attaching nontechnical internal auditors to support basic tests on cloud security audits,”
she says. Where gaps remain, outsourcing and co-sourcing arrangements with clearly established service level
agreements can be used. “Even there, CAEs should encourage the outsourced service provider to train the internal
audit staff,” she says.

Keeping Up With Change

Cloud security is moving at a rapid pace, much like other technological changes in businesses today. For internal
auditors, that means a focus on critical thinking, learning how to stay current in their industries, and developing a
willingness to team up across the business and beyond to form effective alliances. While such an open approach to
providing assurance may be new to many auditors working in more traditional environments, it is likely to be a crucial
step to take if organizations are to deal with the growing complexity of their cloud initiatives.