By 2026, Gartner predicts 75% of organisations will use cloud computing services as a fundamental underlying platform. Public cloud spend is also increasing 21.7% year on year – although this represents only a fraction of the global IT spend (projected USD 4.7 trillion in 2023).
Over the past few years, we've seen growth at a rapid pace in cloud usage. The cloud risk increases for organisations that use it to host their critical systems, such as ERP and customer-facing applications, or sensitive data, such as personal data or intellectual property. They may face challenges around cloud controls and assurance, inconsistent approaches across teams, cloud concentration risks, and lock-in with vendors. There is also a shortage in the market for cloud risk specialists who can support organisations to review whether practices are aligned with recommendations from the Cloud Security Alliance and the cloud service providers.
Issues may also be compounded by the inherent complexity of cloud solutions, lack of visibility at all layers of the computing stack, limited understanding of shared responsibilities for managing cloud controls, and varying compliance requirements for companies operating across multiple jurisdictions.
We talked to a range of financial services and corporate clients to discover how organisations perform their cloud control assurance.
The discussions confirm what analysts report: that established companies operating in financial services have been reluctant to deploy their core banking or systems of record into public cloud service providers (CSP). We also noted that cloud-native banks in the UK are operating core banking on public CSPs. New banking entrants to the UK are increasingly adopting payment aggregators to help them deploy UK subsidiary banks running on public CSPs. By contrast, the non-financial services companies that we spoke with typically run most, if not all, of their core applications on CSPs – typically in a software-as-a-service (SaaS) model.
There is currently no consistent approach to undertaking cloud control assurance in industry. Organisations adopt a range of strategies to ensure they operate with board risk appetite, management comfort and regulations. One common theme is that cloud control assurance activity can be overly manual, rather than using automated tools.
Companies that we spoke with also reported challenges around upskilling or recruiting the right people with technical expertise to provide assurance and challenge on controls.
We identified different perspectives on cloud concentration risk. While regulators are concerned about companies using a small number of public CSPs, the organisation themselves typically accept the risk of adopting one CSP for specific use cases. While there is acceptance of the risks to operating on one CSP, more could be done to test and prove specific IT disaster recovery plans as expected.
Larger companies inevitably have multiple CSPs. However, different CSPs are used for different use cases and customer journeys. To mitigate cloud exit and CSP lock-in risks organisations could adopt several strategies, for example:
Although there are a number of challenges and risks with cloud adoption, we've detailed a number of good assurance practices you can follow, supported by our discussions with several organisations. These good practices are enabled by companies upskilling internal teams around cloud risks and bringing in subject matter experts to review the proposed controls.
The organisations surveyed are drawing on a variety of control frameworks, such as NIST, ISO27001 and the Cloud Security Alliance Cloud Controls Matrix. One frequently used method is to start by using existing internal control frameworks and build on these by adding cloud-specific controls. The next step for companies should be to consolidate their controls, for example by embedding controls into tooling. This would reduce the manual effort to provide assurance and shift focus to more targeted continuous monitoring of controls.
Organisations typically provide their cloud service providers with supplier questionnaires and are typically directed to existing SOC2 reports for review, with the latter providing more reliable independent assurance around CSP controls. A key control is to reject the use of SaaS providers if they're not able to demonstrate that appropriate controls are in place.
Another theme is identifying the need to use automated controls to implement guardrails for cloud services. For example, using the cloud vendor’s recommended good practices, or using tailored blueprints and baselines, which are applied before a system goes live and monitored periodically thereafter.
Organisations use tooling to help with maintaining compliant internal controls. Third-party assurance reports (eg, SOC2) are periodically reviewed by the organisations surveyed to understand shared responsibilities with cloud vendors and where gaps in controls need to be remediated. Nevertheless, these organisations have concerns about visibility and the inability to obtain real-time compliance from cloud service providers, rather than annual or semi-annual reports.
When it comes to implementing cloud controls, a cloud assurance strategy and monitoring of cloud controls, there are practical steps that each line of defence can start to apply. Too much assurance can become a burden on the business, with a negligible increase in overall assurance and benefit to governance.
We recommend maintaining an assurance map that provides a point-in-time view of plans across the three lines of defence, and the overall status of activities and observations. This enables better visibility of the assurance being provided on a risk-by-risk basis and allows the relevant governance groups, including the Audit Committee, to make informed choices about whether the assurance is at the required level to meet the board’s risk appetite, including regulatory requirements.
The rapid growth of cloud spend and adoption is set to continue, with organisations moving more applications to cloud infrastructure, including critical applications. At the same time, companies are facing challenges with cloud controls and assurance, such as inconsistent approaches across teams, cloud concentration risks, and lock-in with vendors.
To address these challenges, organisations need to adopt good practices across all three lines of defence. People are key enablers, therefore teams need to upskill around cloud risks and controls, and call on subject matter experts to provide in-depth, tailored insight and independent assurance for the chosen cloud solutions.
For more insight and guidance, contact Cristiana Mirosanu and Ian Greaves.
TPR has sharpened expectations for pension scheme administration, highlighting key risks around governance, data integrity and oversight that trustees must act on.
UK crypto regulation is accelerating as the FCA issues new consultations. Learn what firms must do to prepare for authorisation under the incoming regime.
Boards are increasingly being called upon to take ownership of technology risk oversight as a strategic imperative, reinforced by the updated UK Corporate Governance Code and the new Cyber Governance Code of Practice. In 2026, staying ahead of technology risks and regulatory shifts isn’t optional - it’s essential. Are you clear on where to focus to keep your organisation in control?
Get the latest insights, events and guidance, straight to your inbox.