Presentation is loading. Please wait.

Presentation is loading. Please wait.

Auditing Cloud Computing: Adapting to Changes in Data Management IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott.

Published byLiliana Henderson Modified over 8 years ago

Similar presentations

Presentation on theme: "Auditing Cloud Computing: Adapting to Changes in Data Management IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott."— Presentation transcript:

1 Auditing Cloud Computing: Adapting to Changes in Data Management IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott (AEP), and Charles Saunders (Franklin University)

2 Overview of Presentation 1.Charles: Do internal audit fundamentals apply to cloud computing? 2.Jay: How does cloud computing make it into my audit universe? 3.John: How do you execute and sustain the audit plan?

3 Do internal audit fundamentals apply to cloud computing? In a word, YES! – Cloud computing is a significant strategic decision. – Cloud computing has significant financial impact. – Cloud computing has significant risk implications. – Cloud computing has significant control considerations. – Cloud computing requires significant management involvement, oversight, and governance.

4 COSO Definition of Internal Control A process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:  Effectiveness and efficiency of operations  Reliability of financial reporting  Compliance with applicable laws and regulations.

5 COSO Definition of Enterprise Risk Management Enterprise Risk Management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

6 Ten Principles of Cloud Computing Risk Source: Vohradsky, D. (2012). Cloud risk—10 principles and a framework for assessment. ISACA Journal, 5, 31-41. 1.Executives must have oversight over the cloud. 2.Management must own the risks in the cloud. 3.All necessary staff must have knowledge of the cloud. 4.Management must know who is using the cloud. 5.Management must authorize what is put in the cloud. 6.Mature IT processes must be followed in the cloud. 7.Management must buy or build management and security in the cloud. 8.Management must ensure cloud use is compliant. 9.Management must monitor risk in the cloud. 10.Best practices must be followed in the cloud.

7 Risk Implications and Responses Source: The Committee of Sponsoring Organizations of the Treadway Commission (COSO), 2012. 1.Unauthorized cloud activity  Cloud policies and controls 2.Lack of transparency  Assessments of cloud service provider (CSP) control environment 3.Security, compliance, data leakage, data jurisdiction  Data classification policies and processes 4.Transparency and relinquishing direct control  Management oversight, operations monitoring controls 5.Reliability, performance, high-value cyber-attack target  Preventative measures; incident management 6.Non-compliance with regulations  Monitoring of the external environment 7.Vendor lock-in  Preparation of an exit strategy 8.Non-compliance with disclosure requirements  New disclosures in financial reporting 9.All risks  ERM; Internal Audit; Board oversight; management awareness and involvement

8 Selected Sources of Information about Cloud Computing Risks and Controls 1.COSO 2.IIA 3.ISACA (e.g., COBIT 5, other publications and guidance) 4.IEEE (Institute of Electrical and Electronic Engineers ) 5.ENISA (European Network and Information Security Agency) 6.OWASP (Open Web Application Security Project) 7.CSA (Cloud Security Alliance) 8.NIST (National Institute of Standards and Technology) 9.ISO 27001 10.ISO/IEC 9126 11.AICPA

9 9 Audit Plan Development Process External Influences News/Events Deloitte Input Regulatory Compliance Rules & Laws External Influences News/Events Deloitte Input Regulatory Compliance Rules & Laws Internal Influences AEP Strategy Enterprise Risk Management Interviews Prior Audits Internal Influences AEP Strategy Enterprise Risk Management Interviews Prior Audits Professional Influences Trade/EEI Institute of Internal Auditors Audit Directors Roundtable Etc. Professional Influences Trade/EEI Institute of Internal Auditors Audit Directors Roundtable Etc. AUDIT UNIVERSE AUDIT UNIVERSE Risk-Based Prioritization Risk-Based Prioritization Emerging Risks Ongoing Risks Reactive Risks Preliminary Audit Plan Preliminary Audit Plan Audit Strategy Audit Strategy

10 10 John Didlott March 2013 Auditing Cloud Computing

11 11 Agenda  Cloud Audit Drivers  Audit Planning  Cloud Drivers  Audit Planning  Scope and Objectives  Risks Assessment  Engagement Risks  Risk Factors  Mitigating Risk  Risks not Specific to the Cloud  Security Benefits  Cloud Audit Program Resources  Questions?

12 12 Our Audit and Why  Data Ownership  Third party relationship  Cyber Security

13 13 Audit Planning  Preparing for the audit What do you really have in the “Cloud”? What types of clouds are utilized within your organization? Where do you start?

14 14 Objectives and Scope  Objectives Data Security Control Deficiencies Service Provider Reliability/System Availability  Scope Governance Contractual Compliance Control Issues specific to Cloud Computing

15 15 Risk Assessment  What is involved in creating the Risk Assessment for a cloud environment?  What are the risk factors that apply to cloud computing ?

16 16 Engagement Risks  Risks based on Managements Objectives Security, Cost and System Availability  Efficiency/Effectiveness of operations Access to data System Failure  Reliability of information Data Security and Availability

17 17 Risk Factors  The Audit Clause How important is the audit clause? Before you can look at the risk, you need to determine the following question. What does the cloud contracts allow me to do?

18 18 Risk Factors Cont…  Governance and Compliance A cloud solution moves control over governance and compliance to the cloud provider  Conflicting Security Procedures of Provider The security procedures at both the provider and customer’s end  Abuse of Privilege at Provider’s End How is access granted at the clouds provider?

19 19 Risk Factors Cont…  Data Security What are the data protection risks I am facing  Ineffective deletion of data When I delete data, is the data actually being deleted?  Lock In/Service portability Data formats and interfaces could make if difficult for data portability

20 20 Risk Factors Cont…  Multi-tenancy environment If you data contains information that needs to be protected, do you want the data stored in a public (shared) cloud?  Lack of Compliance Assurance Does your provider meet industry standards and security requirements?  Lack of Transparency in Supply Chain What are the services the third party is providing

21 21 Risk Factors Cont…  Resource Limitations Inaccurate modeling and planning  Remote Access Vulnerabilities How can your data be accessed?  Business Continuity (BC) Planning and Disaster Recovery (DR) What does your cloud providers provider have in place?

22 22 Strategies for Mitigating Risk  Get involved at the beginning Start before a contact is signed  Use encryption in the cloud Prevention of disclosure  Develop a stronger auditing approach around the providers facilities and logs Ensure that access to facilities and logs is available

23 23 Strategies for Mitigating Risk Cont…  Leverage Expertise Determine how data is handled at the providers end  Security Certificates Do they confirm to industry standards?  Data Breaches What actions can you take to protect yourself monetarily?

24 24 Risks not specific to the Cloud  Network Breaks How would this effect your business?  Network Management Can effect Company reputation Customer Trust

25 25 Risks not specific to the Cloud Cont…  Unauthorized access to facilities What could happen if a unauthorized access occurred?  Natural Disasters Can effect Company reputation Along with Customer Trust

26 26 Security Benefits  Security and the benefits of scale cheaper when implemented on a larger scale  Security as a market differentiator Reputation or Provider  Standardized interfaces for managed security services Open interface to managed security

27 27 Security Benefits Cont…  Rapid, smart scaling of resources Reallocation of resources  Audit and evidence-gathering Dedicated forensic images of virtual machines  More timely, effective and efficient updates and defaults More efficient around updates

28 28 Cloud Audit Program Resources ISACA – Cloud Computing Management Audit/Assurance Program http://www.isaca.org/Knowledge-Center/ITAF-IT-Assurance-Audit-/Audit- Programs/Pages/ICQs-and-Audit-Programs.aspx Cloud Federal Privacy Recommendations http://www.privacylives.com/wp-content/uploads/2010/08/Privacy-Recommendations-Cloud- Computing-8-19-2010.pdf CSA Cloud Security Guidance http://www.cloudsecurityalliance.org/csaguide.pdf NIST Cloud Presentations http://csrc.nist.gov/groups/SNS/cloud-computing/index.html GSA Cloud Guidance http://www.gao.gov/new.items/d10855t.pdf

29 29 Questions?

Download ppt "Auditing Cloud Computing: Adapting to Changes in Data Management IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott."

Similar presentations

Internal Control Integrated Framework

Internal Control Integrated Framework
Auditing Governance Functions

Auditing Governance Functions
Lisanne Sison Director ERM Bickmore

Lisanne Sison Director ERM Bickmore
Cloud computing security related works in ITU-T SG17

Cloud computing security related works in ITU-T SG17
Federal Audit Executive Council (FAEC) June 2012 Bi-Monthly Meeting Heather I. Keister Doris G. Yanger June 14, 2012 Green Book Update.

Federal Audit Executive Council (FAEC) June 2012 Bi-Monthly Meeting Heather I. Keister Doris G. Yanger June 14, 2012 Green Book Update.
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
COBIT 5 and COSO 2013: Comparing the Frameworks

COBIT 5 and COSO 2013: Comparing the Frameworks
STATE OF NEW YORK OFFICE OF THE STATE COMPTROLLER New York State Office of the State Comptroller Thomas P. DiNapoli, Comptroller Office of Operations John.

STATE OF NEW YORK OFFICE OF THE STATE COMPTROLLER New York State Office of the State Comptroller Thomas P. DiNapoli, Comptroller Office of Operations John.
It’s Time to Talk About Risk and Control

It’s Time to Talk About Risk and Control
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
The Islamic University of Gaza

The Islamic University of Gaza
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Eliot M. Stenzel, CPA,CIA IIA Instructor for many years. 220-3198 Risk Based Auditing.

Eliot M. Stenzel, CPA,CIA IIA Instructor for many years Risk Based Auditing.
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
Security Controls – What Works

Security Controls – What Works
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.

Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.

Similar presentations

Ads by Google