(The Hosting News) – In a 2012 North Bridge Venture Partners survey, half of business respondents reported complete confidence in cloud computing. That was up from 13 percent of respondents in the same survey the year before. With cloud computing becoming an acceptable method for managing processes and data, organizations in regulated sectors are beginning to face cloud-computing audits.
Common Cloud Computing Risks
One reason for cloud-computing audits is to ensure enterprises are appropriately managing the risks inherent in the cloud. A first point of risk is the cloud service provider—employees of that company may have access to sensitive financial, personal, or health records used by the client organizations. Auditors will want to see procedures and policies that reduce access to information as much as possible and provide oversight and training for anyone who does retain access.
Cloud computing requires that administration and processes occur online. Auditors will be concerned with ensuring companies use the best or required level of encryption and security to protect data. Technology isn’t the only place where data security can fail, though. It’s important to ensure employees are trained to protect information online and when using mobile devices to connect to cloud processes.
Because the cloud is a relatively new technology, regulations regarding security are still emerging—especially in compliance-laden areas like finance or healthcare. It’s important for in-house compliance and audit departments to keep up with ever-changing requirements in order to ensure seamless performance in future audits.
The NASA Audit Failure
No organization is too big to fail an audit. After converting 140 applications to private-sector cloud environments in 2009, NASA later failed a cloud-related audit. Some lessons to learn from NASA’s failure include:
- Detailed vetting of any vendor solution—including cloud computing—should be handled in a test environment prior to entering production.
- Organizations should only deal with cloud vendors that are compliant with appropriate regulations within the applicable industry. Healthcare companies shouldn’t work with vendors that aren’t aware of HIPAA needs, for example, and retail organizations should seek cloud vendors that are compliant with PHI standards.
- Before acquiring new cloud technology or contracting with a vendor for services, put someone in charge of researching, selecting, and implementing the new service. In an enterprise organization, that might mean creating a team of subject matter experts in areas like compliance, accounting, data management, and technology from various departments.
The Role of Internal Audit
Internal audit or compliance resources within the organization play a valuable role before, during, and after any audit. These experts allow the enterprise to practice proactive risk management by simulating audits within a controlled environment. Whether you use a third-party vendor or an in-house team to conduct a practice audit, the results will tell you what to work on to avoid a formal audit failure. Internal auditors should regularly check processes, manage knowledge resources regarding cloud computing security requirements, and keep up with changing regulations and industry education.
If your organization is in a regulated industry, you shouldn’t be surprised when cloud-computing processes become part of any audit. By doing your homework, learning from the audit failures of others, and instituting strong internal risk management, you can avoid cloud-related issues in future audits.