Keeping up with the World of Cloud Computing: What Should Internal Audit be Thinking About?

Keeping up with the World of Cloud Computing: What Should Internal Audit be Thinking About? IIA San Francisco Chapter October 11, 2011

Agenda Introductions Cloud computing overview Risks and audit strategies Q&A

Introductions Jeff Spivack, Grant Thornton Partner and Practice Leader Business Advisory Services, Greater Bay Area National Solution Group member for service organization matters relating to cloud computing Local leader for all Governance, Risk and Compliance services Over 25 years of consulting and industry experience in New York and Greater Bay area markets Board Member SF Chapter of IIA

Introductions Keith Chin, Salesforce.com Internal Audit Manager, San Francisco 12 Years internal audit experience External audit experience at Deloitte, primarily in the technology and banking industries License management and internal audit manager at Oracle Focused on global audits across a wide spectrum of business processes

Introductions Lisa Core, Salesforce.com Technology Audit & Compliance Program Manager 3 years of experience in KPMG's IT Advisory Group Organized and designed a full program of over 300 IT controls at Salesforce.com Leads many technology related audits and assessments Supports the Salesforce.com sales organization with the completion of highly technical RFPs/RFIs and security/privacy-related questionnaires

Cloud computing overview Group discussion What is your experience with cloud computing? How does your company utilize cloud computing? What level of involvement did your Internal Audit group have with your Company s cloud computing implementation? Has your company s cloud environment been audited?

Learning objectives Presentation focus Today s presentation will focus on the following: Understanding primary outsourced/hosted cloud computing options, industry trends, and benefits including observations from a market leader Methods for deciding if cloud computing fulfills the organization s business needs and risk appetite Understanding unique risks associated with various cloud computing models Practical controls for securing the Company s assets when using cloud computing Methods for auditing the Company s use of cloud computing technologies

Agenda Introductions Cloud computing overview Risks and audit strategies Q&A

Cloud computing overview Why the buzz? Cloud computing is the future of IT A new and flexible model for deploying technology Extremely reliable and infinitely scalable Cost benefits and ease of ownership Allows you to expand or contract as business needs dictate Pay for only what you need at any given time

Cloud computing overview Grant Thornton's CAE Survey More than 300 CAEs surveyed responded that 77% are at least somewhat familiar with cloud computing 69% use cloud computing; many expect cloud computing use to increase (45%) or stay the same (55%) in the next 12 months When asked to describe their view as to the security, governance, risk and controls implications in moving to a cloud environment, 43% responded "I haven t really given it much thought." 64% of respondents do not include cloud computing in their audit plan

Cloud computing overview Future of cloud computing Looking past the current industry hype surrounding all things Cloud, Forrester believes that Cloud computing is a sustainable, long-term IT paradigm, and the successor to previous mainframe, client/server, and network computing eras. -Forrester Research, Inc. The Evolution of Cloud Computing Markets

Cloud computing overview A full spectrum of definitions - simple The cloud is about immediacy, elasticity, and utility economics Mark Shuttleworth, Ubuntu & Canonical The cloud is water vapor Larry Ellison, Oracle

Cloud computing overview Three basic flavors of service (cont'd) #1 Infrastructure Data Center Processor Memory Storage Virtualized & Dynamic Redundant

Cloud computing overview Three basic flavors of service (cont'd) #2 Platform Operating System Web Servers Database Servers Operational Services Virtualized Infrastructure

Cloud computing overview Three basic flavors of service (cont'd) #3 Application Google Apps Salesforce Mobile Me Platform Infrastructure

Cloud computing overview Types and models Types of Clouds Public - Shared computer resources provided by an off-site third-party provider Private - Dedicated computer resources provided by an off-site third party or use of cloud technologies on a private internal network Hybrid - Consisting of multiple public and private clouds Models of Cloud: Software as a Service (SaaS) - Software applications delivered over the Internet Platform as a Service (PaaS) - Full or partial operating system/development environment delivered over the Internet Infrastructure as a Service (IaaS) - Computer infrastructure delivered over the Internet

Cloud computing overview Global Public Cloud Market Size

Cloud computing overview Service model attributes Software as a Service (SaaS) The consumer does not manage or control the underlying cloud infrastructure, network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. Platform as a Service (PaaS) Consumer has control over the deployed applications and possibly application hosting environment configurations. Infrastructure as a Service (IaaS) Consumer has control over operating systems, storage, deployed applications, and possibly select networking components (e.g., firewalls, load balancers).

Agenda Introductions Cloud computing overview Risks and audit strategies Q&A

Risks and audit strategies System failure at Amazon.com "A widespread failure in Amazon.com s Web services business affected many Internet sites, highlighting the risks involved when companies rely on so-called cloud computing. The problems affected sites including Quora.com, Reddit.com, GroupMe.com and Scvngr.com, which all posted messages to their visitors about the issue. Most of the sites have been inaccessible for hours, and others were only partly operational " -NYTimes.com April 21, 2011

Risks and audit strategies Security Breach at Epsilon "A data breach at one of the world's largest providers of marketing email services may have enabled unauthorized people to access the names and email addresses for customers of major financial-services, retailing and other companies." -WSJ.com April 4, 2011

Risks and audit strategies Potential risks What are the physical components of the Clouds? Data Centers self-hosted, third-party, both, etc.? Network circuits and firewalls who s managing, who s watching, etc.? Disaster preparedness and recoverability is there a plan, is it tested, etc.? Who is aware of and managing vendor SLAs and are they adequate? Where s the data and how is it protected? In-flight, standing still/at-rest, etc.? Archives and back-up? Unintended uses? Data privacy and compliance? What is the tone at the top? Stakeholder knowledge of attributes and risks Have internal controls evolved effectively? Who is monitoring internal use of public cloud services?

Risks and audit strategies Service organization considerations When outsourcing parts of their business (including cloud computing), companies are still responsible for the data, processing and/or services provided by the outsourcing company (service organization). As a result, many companies (and their auditors) desire or require their service organizations to obtain an independent assessment of their security, availability, processing integrity, confidentiality and privacy practices.

Risks and audit strategies Service organization considerations SSAE No. 16, Reporting on Controls at a Service Organization, superseded SAS 70 on June 15, 2011. There are several reporting options for service auditors examining controls at service organizations. Financial Reporting Risks Nonfinancial Reporting Risks SOC 1 SOC 2 SOC 3 SSAE 16 With testing details "Pass" with a seal display

Risks and audit strategies Six additional risk areas Security Multi-tenancy Data location Reliability Sustainability Scalability

Risks and audit strategies 1. Security - risks The cloud provider s security policies are not as strong as the Company s data security requirements Cloud systems which store Company data are not updated or patched when necessary Security vulnerability assessments or penetration tests are not performed to ensure logical and physical security controls are in place The physical location of company data is not properly secured

Risks and audit strategies 1. Security audit strategy Determine if the cloud provider meets or exceeds the Company s security requirements Determine if the cloud provider s security posture is based on a security standard (i.e., ISO27001, Cloud Security Alliance, PCI DSS, etc.) Determine if the cloud provider has a security assessment performed Determine if the cloud provider s Service Organization Report (i.e., SSAE 16, SOC Reports) addresses specific security controls

Risks and audit strategies 2. Multi-tenancy risks Company data is not appropriately segregated on shared hardware resulting in Company data being inappropriately accessed by third parties The cloud service provider has not deployed appropriate levels of encryption to ensure data is appropriately segregated both in rest and transit The cloud service provider cannot determine the specific location of the Company s data on its systems Company data resides on shared server space which might conflict with regulatory compliance requirements for the Company

Risks and audit strategies 2. Multi-tenancy audit strategy Inquire of the cloud service provider s method used to secure the Company s data from being accessed by other customers/third parties Review the cloud service provider s SLA to determine if the SLA addresses security of the Company s data Review independent audit report(s) related to the Cloud provider s security posture (i.e., security settings, data encryption methods, etc.) and/or exercise the Company s right-to-audit clause Gain access to cloud system(s) and perform limited auditing procedures from the Company s location

Risks and audit strategies 3. Data location risks The Company is not aware of all of the cloud service provider s physical location(s) The Company does not know where their data is physically or virtually stored The Cloud service provider moves company data to another location without informing the Company Company data is stored in international locations and falls under foreign business or national laws/regulations

Risks and audit strategies 3. Data location audit strategy Inquire of the cloud provider the specific physical and virtual location of the Company s data Work with the Company s legal group to fully understand the impact and potential risks of the Company s data residing in a foreign country Ensure regulatory compliance is maintained if data resides in multiple locations

Risks and audit strategies 4. Reliability risks The cloud service provider has quality of service standards which conflict with business requirements During peak system activity times, the cloud service provider experiences system performance issues that result in the following: - Company employees cannot access the Company s data when needed - Customers are unable to use the Company s systems (such as placing an order on the Company s web site) because of performance problems with the cloud provider

Risks and audit strategies 4. Reliability audit strategy Inquire of the cloud service provider to determine the controls in place to ensure the reliability of the cloud solution Obtain an SLA/contract from the cloud service provider which details the specific reliability agreement for the Company. Compare this information to actual performance Determine the times that the cloud provider performs system upgrades and/or patches to ensure data availability during peak business hours is not affected Review the Company s business continuity plan and determine if the plan addresses interruptions with the cloud systems used by the Company

Risks and audit strategies 5. Sustainability risks In the event the cloud service provider goes out of business, the Company might not be able to retrieve the Company s data. In addition, another third party might gain access/control of the Company s data The cloud service provider does not have appropriate system recovery procedures in place in the event of a disaster The Company s business continuity plan does not address the cloud s service offering being unavailable Company data is compromised as a result of a disaster

Risks and audit strategies 5. Sustainability audit strategy Inquire of the cloud service provider to determine if they have adequate controls in place to recover and protect the Company s data even in the event of a disaster Review the Company s business continuity plan and determine if the plan addresses interruptions with the cloud solution Inquire of the cloud service provider to determine how the Company would gain access to its data in the event the cloud service provider goes out of business

Risks and audit strategies 6. Scalability risks The cloud service provider s systems cannot scale to meet the Company s anticipated growth, both for a short-term spike and/or to meet a long-term strategy If the Company decides to migrate all or part of the Company s system and/or data back inhouse (or to another provider), the cloud service provider cannot (or will not) provide the data

Risks and audit strategies 6. Scalability audit strategy Determine if the cloud provider s system can scale to meet the Company s expected short-term spikes and/or growth over the next five years Determine if the Company has a contingency plan in the event the cloud provider s systems cannot scale to meet the Company s needs Determine who is the owner of the Company s data Determine if the cloud provider would allow the Company to move data back in house and/or to another provider. Determine the specific procedures and associated costs needed to perform this task

Risks and audit strategies Case study An energy solutions company is a leading provider of energy solutions with annual revenues in excess of $850 million for a payroll size of 400 employees Decision made by Senior Management to outsource their payroll system to a SaaS vendor cloud solution to allow for increased efficiency and cost savings Internal Audit identified payroll as a high-risk area since this was the Company s first use of a cloud computing solution Key Payroll data is transmitted on a bi-weekly basis to facilitate payment by the SaaS cloud provider

Risks and audit strategies Case study (cont'd) Company's Internal Audit department reviewed the cloud provider's Service Organization Report and did not note any exceptions Internal Audit also used existing user-ids to perform limited audit procedures and discovered they had access to view and edit another company's payroll information The Company discussed the findings with the cloud provider and determined the error occurred after a recent system upgrade

Agenda Introductions Cloud computing overview Risks and audit strategies Q&A

Q & A

Contact info Jeff Spivack Principal, Business Advisory Services T: 415-365-5434 E: jeffrey.spivack@us.gt.com