Cloud computing is the vanguard of global digital transformation. In this article, you will learn how to recognize the opportunities of cloud computing and implement cloud activities. It also defines the stakeholders involved in the company's risk management strategy and the shared responsibility model. Finally, the paper provides recommendations for addressing the disruptions caused by the adoption of cloud computing.
The fourth industrial revolution is underway worldwide; a digital revolution fueled by the rapid, massive development of digital technologies such as high-speed mobile internet capabilities, artificial intelligence (AI) and machine learning. Cloud computing is at the forefront of this change. As a result, companies of all sizes, industries, and geographies have dramatically and rapidly increased their use of cloud computing. According to Gartner (2019), more than a third of companies see cloud investments as one of their top three priorities. The market for public cloud services is expected to reach a whopping $266 billion by 2020.
One of the drivers of the expansion and widespread use of cloud computing is the current digital transformation. In a 2016 speech, Microsoft CEO Satya Nadella offered this enduring description of digital transformation: "Be more engaged with customers, empower employees, optimize the way they work, and use digital content to improve the products and services they offer." From the cloud From a computing perspective, these benefits include managing and offloading expensive and difficult to upgrade and manage internal IT infrastructure, simplifying and scaling storage, software and application support, increased speed and processing power, and lower costs. As a result, companies of all sizes, geographies and industries, including CPA firms and their clients, are developing their own private clouds or purchasing public cloud services from cloud service providers (CSPs) such as Microsoft Azure and Amazon AWS.
While these potential benefits are compelling, market intelligence suggests that cloud computing exacerbates the risks and creates new and unexpected risks. For example, a cloud security breach exposed the names, addresses and account information of up to 14 million US Verizon customers. Under these circumstances, we can only imagine the potential cybersecurity breaches and cloud-related service disruptions that could result from unexpected disruptions and the rapid shift to remote work due to the current coronavirus (COVID-19) pandemic. On the one hand, employees who unexpectedly switched to remote work had immediate, fast and seamless access to the necessary data, software and applications, partly through cloud computing. On the other hand, these unplanned disruptions and rapid changes exacerbate existing risks and create new ones when employees access data from remote locations; for example data breaches, unauthorized access and system availability failures.
This disruptive cloud model raises questions about cloud strategy, performance, risk and control for corporate boards, managers, regulators and insurance providers. These issues include: the extent and location of cloud activities; the impact of cloud service provider (CSP) network dependency; deficiencies in reputation, intellectual property, financial reporting and market confidence; Compliance with global legal regulations; Security adequacy, auditing and change management. This article examines cloud computing opportunities, risks, and resilience strategies, including enterprise risk management, CPA corporate assurance, and change management.
The National Institute of Standards and Technology (NIST) defines cloud computing as an approach that provides on-demand access to shared sets of configurable computing resources (eg, networks, servers, storage applications, services) that can be rapidly provisioned and shared. Simply put, a cloud is a huge cluster of very large servers spread all over the world (ie a cloud farm). Cloud farms are managed by CSP providers such as Amazon AWS; these service providers offer a range of managed services.
Some companies are adopting a cloud-first strategy for new or replacement systems. Popular cloud deployment models include private cloud, public cloud, hybrid cloud, and community cloud.Diagram 1Define each model. Popular CSP cloud services include Infrastructure as a Service (IaaS), Software as a Service (SaaS), and Platform as a Service (PaaS);Diagram 2Define each service. Pay-as-you-go (ie, charging users based on their level of usage) is a popular pricing model.
Cloud Computing Service Implementation Model, laut NIST
Three main cloud service models according to NIST
Cloud computing has also transformed organizations. According to Deloitte (2020), "every time executives use cloud services, outsource business processes, or otherwise extend their business beyond the traditional four walls of their organization, executives grow their business." In a cloud computing environment, this is "enterprise extended". creates a complex network of distributed, interconnected and interdependent actors who share responsibility, including employees (i.e. first parties), customers (i.e. second parties), suppliers and their employed subcontractors (i.e. third parties, fourth parties and fifth parties).Diagram 3This extended network of relationships is shown.
Business expansion: data sharing and cloud computing networks
The cloud also democratizes and decentralizes IT activities — meaning non-IT staff can develop applications and contract directly with CSPs outside of a centralized IT procurement process.
Cloud-driven changes like the following are also impacting the CFO organization.
- Accounting - FASB Releases Accounting Standards Update 2018-15,Intangible assets - goodwill and other - software for internal use (subtopics 350-40): Accounting for costs of implementation by customers of cloud computing service arrangements that are part of a service contract,Provides accounting guidance for cloud computing contracts.
- Taxation – States create and update regulations on the taxability of CSP service provider transactions.
- Regulatory compliance (eg, Health Insurance Portability and Accountability Act [HIPAA], Sarbanes-Oxley [SOX]) – use of CSP creates a shared responsibility model that provides a contractual definition of responsibility for controlling and ensuring the required requirements.
The cloud can also exacerbate existing risks, create new and unexpected risks, and stretch the limits of governance, risk management, cybersecurity, internal audit, backup, and change management. For CPA firms and their clients, this cloud disruption requires analysis of what can go wrong.
The dark side of the cloud?
Back in 2013, McKinsey warned that "large organizations that need to protect many types of sensitive information and have a wide variety of cloud solutions must weigh the potential benefits against the risks of breaching data confidentiality, identity and access integrity, and system availability." .” Recently, IDC (2018) reported that 50 percent of security professionals spend most of their time protecting the cloud. In 2019, the Cloud Security Alliance (CSA) listed its top 11 cloud security threats.Diagram 411 CSA threats are presented.
Cloud Security Alliance (CSA) Top 11 Threats to Cloud Computing (2019)
Despite these warnings, recent cloud breaches continue to occur as follows:
- Capital One - 80,000 bank accounts and over 1 million government identification numbers exposed
- Facebook - 540,000 records discovered (ID numbers, account names, likes and comments)
- Instagram – 49 million records related to private information such as email addresses were exposed.
In 2019, Gartner made the following predictions about cloud security:
- By 2024, most organizations will still struggle with measuring cloud security risk.
- By 2025, 90% of organizations that fail to control their use of the public cloud will be sharing sensitive data inappropriately.
- By 2025, 99% of cloud security failures will be the user's fault.
Waves of breaches suggest cloud computing is risky; Risks intensify (ie known-known), create new risks (unknown-known) and unforeseen risks (unknown-unknown). For example, consider the following service availability and network risks associated with the geographic location of cloud servers that organizations rely on:
- Sources of power - who owns it and who distributes it?
- Staff – impact of unforeseen events (eg pandemic); are CSPs ready?
- Access security, including espionage - who has internal access to files?
- Securing the site to prevent the spread of radioactivity - where is the security and is access available via satellite or submarine cable?
- Human error, such as information mix-ups, data deletion and remediation; How can these risks be managed?
Industry-wide regulations will play an important role in managing such risks. For example, under the auspices of the US Federal Risk Management and Authorization Program (FedRAMP), a customized set of standards has been developed for the authorization of the use of cloud services. Another industry example is the HIPAA regulations, which focus on the management of cloud resources provided by CSPs. The HIPAA Privacy, Security, and Breach Notification Rules establish important safeguards for personal health information created, received, maintained, or transmitted by companies or business partners (eg, CSPs) covered by HIPAA. For example, an SLA associated with a CSP should include provisions on HIPAA-related requirements, including system availability and reliability, data backup and recovery, how data is returned to customers after a service interruption, security liability, and disclosure limitations.
Compliance with regulations alone is not enough. To mitigate risk, organizations should conduct a comprehensive enterprise-wide analysis of what could go wrong, including cybersecurity risk analysis and single point of failure risk analysis associated with their cloud ecosystem. Analyzing what can go wrong begs the question: Are CPA firms and their clients ready for cloud risk?
Enterprise risk management perspective
Cloud computing is transforming businesses, driving its impact on governance, compliance, risk management, cybersecurity, audit and change management.
The KPMG Audit Committee Institute emphasizes “understanding the impact of technology” – and mentions cloud computing – as one of seven items to consider on the 2020 audit committee agenda. In this context, organizations should ensure transparency about the nature, scope and location of CSP providers and the performance of their cloud activities. The board, senior management, and CPAs should ask the following questions:
- What is our company's cloud footprint?
- Do we have a checklist for cloud activities?
- Where are our servers, software and applications?
- Who is responsible for network security, recovery and system control?
- Is there a heat map that ranks data stored in private and public clouds by location?
- Are shared responsibilities for performance, availability, network security, and third-party assurance clearly defined and formalized in a service level agreement (SLA)?
- What global legal systems are we subject to?
- Are management, board members, CSPs and auditors aware of cloud risks?
- What are the contractual CSP requirements and SLA terms and obligations?
- Who accesses our data and why? Can I see our 10-K drafts and trade secrets?
- Does our primary CSP outsource our cloud needs to other CSP subcontractors (ie 3rd party and 4th risk)?
- Do other jurisdictions have access to our data and monitor our activities?
- Do accountants, lawyers and other service providers protect access to and storage of our data?
- Are shared responsibilities for risk management strategies, methodologies and skills well designed and functioning effectively?
- Do we continuously monitor system violations and failures?
- Are stakeholders effective and accountable to those who share management responsibilities?
- Do we conduct a top-down assessment of enterprise risk management?
While these questions may seem fundamental, market intelligence suggests that some companies are uncertain about the nature, scope and location of their cloud operations.
One of the reasons is IT activities in the "shadow". This refers to the adoption of cloud services by authorized personnel distributed throughout the organization and under the supervision of the IT department. According to Gartner, most companies significantly underestimate the number of shadow IT applications already in use. A continuously updated inventory of the current state of cloud activity across the enterprise is essential for holistic analysis of cloud performance and cloud risk.
Cloud computing and enterprise risk management.
Linking objectives and risks is a basic requirement of an enterprise risk management (ERM) framework. The International Organization for Standardization (ISO) defines risk as "the effect of uncertainty on objectives". In cloud computing, such goals may include privacy, availability, productivity, reliability, compliance, cost transparency, and cost savings. Treadway Council of Sponsoring Organizations (COSO) ERM Framework, Enterprise Risk Management Aligning Strategy with Performance,Domain Name System:https://www.coso.org/Documents/2017-COSOERM-Integrating-with-Strategy-and-Performance-Executive-Summary.pdfClarify the relationship between performance objectives and risk.
An enterprise risk management approach also contributes to "cyber resilience," which is the ability to quickly and fully recover from system failures and security breaches. In a 2020 report on the financial services industry, Thomson Reuters identified cyber resilience as a key regulatory risk, stating: “CEOs must ensure that cyber risk is explicitly among the risks being considered and that boards are prepared to address any potential Discuss actions to secured." When actions are taken, build cyber resilience throughout the organization.” An organization's incident response plan, including incident and information breach management plans, should be an integral part of the cybersecurity policy and ERM-Be analysis. In short, cloud-integrated ERM analytics can help improve cloud performance, cloud risk management, rapid, timely, and appropriate incident response, change management layers, and improve resilience.
ERM analysis also helps auditors and other assurance providers identify and assess risks and controls, as well as the nature, timing, and extent of selected assurance and assurance processes.Diagram 5An example of ERM analysis is given.
Enterprise Risk Management (ERM) Example: Cloud Risk Analysis
A CPA firm's perspective
Cloud computing is changing the traditional norms for CPA firms, their clients, and external testing and quality control. The Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants addresses this issue in its 2020-2021 Strategic Plan: "Rapid advances in technology are having a profound impact on the audit and assurance business, including the use of automated tools and ." Techniques and participation in teamwork. Mode changes are structured and interactive.” In Initiative D: “Keeping our standards relevant in a changing environment”, ASB is committed to monitoring the use of innovative technologies and determining whether standards for user acceptance and service delivery are appropriate.
Cloud computing affects CPA insurance providers in many ways – for example, understanding the assessment of a client's cloud environment; identification and assessment of risks of material misstatement (RMM); defining the role of reporting on systemic organizational controls (SOC); Customer and enterprise assessments of the impact of cloud computing activities on enterprise compliance with GAAS quality control (QC) standards.
The customer's environment and the risk of material misstatement.
More and more accounting clients are moving some or all of their accounting systems and financial reporting data to the public cloud. This cloud move brings complexity, disruption and risk.
For example, cloud computing environments often integrate third-party CSPs and possibly contracted fourth-party CSPs (Diagram 3) into the client's accounting system and control environment. Such a complex network of CSPs results in shared responsibility between customers and CSPs for financial accounting data, cyber security, internal controls over financial reporting (ICFR), service organization controls (SOC), reporting and assurance services.
In accordance with PCAOB Auditing Standard (AS) 2110, such significant changes in the control environment and accounting systems require the auditor to understand the entity's environment and risks in order to assess the risk of material misstatement (RMM) in the financial statements.
A prudent starting point for an initial understanding of the cloud environment and business risks is an analysis of the client's inventory of cloud operations, including the nature and scope of third- and fourth-party CSPs and any material changes to those contracts during the audit. period. The audit client is the primary source for understanding the current state of the cloud. However, market intelligence suggests that some companies may not have an up-to-date analysis of the current state of their cloud activities. Lack of documentation affects (i.e. increases) RMM and may require additional examination procedures (eg instructions), specialized cloud examination skills and higher examination fees.
SOC reporting in the cloud.
SOC for service organizations is an internal control report for third-party services provided by external service organizations such as CSPs. AICPA SOC reporting is governed by AT-C Section 320 and SSAE 18. The following SOC reports are available in this category: SOC 1, SOC 2, SOC 3, and SOC Cyber Security.Diagram 6Define each report.
See 6 Types of AICPA SOC Reports
For assurance clients with significant cloud computing engagements, the choice of report type and eligibility to provide such services depends on a number of factors, including the nature of the assurance service and the footprint of the cloud assurance client as well as the third-party service provider. and 4th party CSPs - the Offeror. Network and the terms of the Shared Control Responsibility Agreement and Service Level Agreement (SLA) with the CSP.
One of the six elements of the AICPA Quality Control (QC) standard addresses customer acceptance and retention and requires consideration of whether the CPA firm is "competent to conduct the business and has the ability, including time and resources, to do so." have. The second element relates to human resources, which requires CPA firms to have "adequate personnel with the competence and ability to conduct their business in accordance with professional standards and applicable legal and regulatory requirements." In order to comply with these QC audit standards for cloud computing engagements, CPA firms must assess the need for and timely availability of the required expertise.
Another important element of the AICPA QC standard is acquiring new customers and retaining existing customers. These QC considerations include the following:
- The risk of client cloud security breaches and their impact on CPA firms' reputational risk
- Costs and prices of services that by their nature require more time and expertise
- Challenges associated with timely and complete access to audit evidence controlled by CSP 3 and 4
- Participating teams get timely access to the cloud computing expertise they need, including industry and geo-specific regulations
- The ability to protect user data stored in the corporate cloud, accessed through the client's cloud, and accessed through the client's CSP.
CPA firms must make selective changes to accept the liabilities associated with cloud computing, such as: B. training employees, securing subject matter expertise, and protecting the privacy of client data accessed through clients and their cloud CSPs and stored in the cloud CPA firm.
- the president of Applehttps://news.microsoft.com/features/satya-nadella-why-businesses-should-embrace-digital-transformation-not-only-to-survive-but-also-to-thrive/
- informative weekhttps://webcache.googleusercontent.com/search?q=cache:p3OgaFFf57g-J:https://www.informationweek.com/cloud/predictions-for-cloud-computing-in-2020/a/d-id/1336738+&cd=2&hl=hr&ct=clnk≷=us
the dark side of the cloud
An enterprise risk management (ERM) perspective.
- Thomson Reutershttp://financial-risk-solutions.thomsonreuters.info/5-Key-Risks-2020?utm_source=internal&utm_medium=blog&utm_campaign=245422_5KeyRisksforFirms2020EP&utm_term=internal&utm_content=downloadreport&elqCampaignId=1565
A CPA firm's perspective
- American Institute of Certified Public Accountantshttps://www.aicpa.org/content/dam/aicpa/research/standards/auditattest/asb/downloadabledocuments/asb-strategy-consultation-paper.pdf
Adapt to digital transformation
The advent of cloud computing and the early stages of enterprise digital transformation are having a profound impact on the traditional technologies and services provided by CPA firms. Organizations adopting or using cloud computing should continually update their cloud operations inventory, including the nature, scope, and location of their cloud operations, and conduct a comprehensive enterprise-level error-prone analysis, including cybersecurity risks and risks associated with their cloud ecosystem ; single point of failure risk; Conduct cloud computing resilience analysis, including ERM analysis of cloud performance, security risk, and change management risk. Adapting to digital disruption and transformation, CPA firms need to understand the impact of cloud computing on their clients' business and control environments, analyze material misstatement and cybersecurity risks, evaluate cloud controls, and implement regular cloud notification changes.
Meredith Stein, CPA, directs the NIH Risk Management Program at the National Institutes of Health (NIH) in Bethesda, MD. The views expressed are their own and do not necessarily reflect the views of the NIH or the US government. She started her career at KPMG.
Vincent Campitelli, CPA, is an advisor to the Office of the President of the Cloud Security Alliance (CSA) in Seattle, WA, as an enterprise security expert with a focus on cloud computing. He was a partner at PricewaterhouseCoopers LLP.
Steven Mezzio, Ph.D., CPA, CISA, CISSP, FSAI, is a professor of accounting and executive director of the Center of Excellence for Financial Reporting at Pace University's Lubin School of Business. He is also a former partner of PricewaterhouseCoopers.