Why is it important to have an inventory of all cloud solutions in use?
FURR An inventory of all cloud solutions in use within the organization is a critical foundational step in establishing a cloud risk and governance program. The inventory can be a useful tool for understanding the aggregate level of risk to the organization by identifying the data and the number and types of cloud computing technologies being used. The inventory also can be used to manage regular reviews of cloud computing solutions to reduce risk and ensure ongoing compliance.
LOVELL Having a complete inventory is the first step in managing the cloud control environment. Armed with this information, organizations can better understand the risks associated with their cloud services; drive clarity regarding roles and responsibilities between vendor and customer; and validate that controls are in place for security, reliability, agility, and compliance of their clouds.
How often should internal audit evaluate solutions?
LOVELL Audit frequency should be based on risk. In a mature organization, internal audit should focus on major cloud projects and migrations, with governance-type audits occurring periodically after the first annual cycle. For an organization just embracing the cloud, internal audits governance-related reviews should occur more often. For organizations with multiple significant applications in the cloud, I would expect some aspect of cloud is covered every year, via project audits, application audits, integrated audits of functions that use cloud services, infrastructure audits, and those focused on cybersecurity. Importandy, the cloud should be audited where it supports critical business activities that also are under audit.
FURR Cloud solutions evolve quickly, and while organizations typically perform due diligence when choosing a provider, the evaluation often does not address how the platform and individual services develop and are monitored and managed over time. Organizations should perform a cloud computing assessment before completing an audit. Performing an assessment first enables internal audit to build relationships and educate stakeholders on the policies, procedures, and controls necessary to mitigate cloud computing risks. Audit frequency depends on the maturity level, complexity, and use of cloud solutions. As the maturity level of the cloud risk and governance program increases, evaluation frequency can be reduced but should be annual...