With organisations increasingly adopting cloud computing solutions at varying levels of business criticality, Cristiana Mirosanu and Ian Greaves look at how assurance activities can keep pace, outlining good practice for cloud environments and practical steps across the lines of defence.
Contents

By 2026, Gartner predicts 75% of organisations will use cloud computing services as a fundamental underlying platform. Public cloud spend is also increasing 21.7% year on year – although this represents only a fraction of the global IT spend (projected USD 4.7 trillion in 2023).

Over the past few years, we've seen growth at a rapid pace in cloud usage. The cloud risk increases for organisations that use it to host their critical systems, such as ERP and customer-facing applications, or sensitive data, such as personal data or intellectual property. They may face challenges around cloud controls and assurance, inconsistent approaches across teams, cloud concentration risks, and lock-in with vendors. There is also a shortage in the market for cloud risk specialists who can support organisations to review whether practices are aligned with recommendations from the Cloud Security Alliance and the cloud service providers. 

Issues may also be compounded by the inherent complexity of cloud solutions, lack of visibility at all layers of the computing stack, limited understanding of shared responsibilities for managing cloud controls, and varying compliance requirements for companies operating across multiple jurisdictions. 

 

How are companies tackling cloud assurance?

We talked to a range of financial services and corporate clients to discover how organisations perform their cloud control assurance.

The discussions confirm what analysts report: that established companies operating in financial services have been reluctant to deploy their core banking or systems of record into public cloud service providers (CSP). We also noted that cloud-native banks in the UK are operating core banking on public CSPs. New banking entrants to the UK are increasingly adopting payment aggregators to help them deploy UK subsidiary banks running on public CSPs. By contrast, the non-financial services companies that we spoke with typically run most, if not all, of their core applications on CSPs – typically in a software-as-a-service (SaaS) model.

Approach to cloud control assurance

There is currently no consistent approach to undertaking cloud control assurance in industry. Organisations adopt a range of strategies to ensure they operate with board risk appetite, management comfort and regulations. One common theme is that cloud control assurance activity can be overly manual, rather than using automated tools.

Companies that we spoke with also reported challenges around upskilling or recruiting the right people with technical expertise to provide assurance and challenge on controls.

Cloud concentration risks

We identified different perspectives on cloud concentration risk. While regulators are concerned about companies using a small number of public CSPs, the organisation themselves typically accept the risk of adopting one CSP for specific use cases. While there is acceptance of the risks to operating on one CSP, more could be done to test and prove specific IT disaster recovery plans as expected.

Exit strategy

Larger companies inevitably have multiple CSPs. However, different CSPs are used for different use cases and customer journeys. To mitigate cloud exit and CSP lock-in risks organisations could adopt several strategies, for example:

  • review and amend contracts with CSPs, despite multiple organisations believing these contracts are non-negotiable
  • monitoring CSP financial and non-financial health to get early visibility of CSP problems
  • building methods to enable CSP services, data and infrastructure to be more easily copied or migrated and/or recreate infrastructure from code (coupled with partnerships to ensure the cloud technical capability and capacity is available to perform these changes and to provide oversight).

 

Cloud assurance good practices

Although there are a number of challenges and risks with cloud adoption, we've detailed a number of good assurance practices you can follow, supported by our discussions with several organisations. These good practices are enabled by companies upskilling internal teams around cloud risks and bringing in subject matter experts to review the proposed controls.

Cloud frameworks and control design

The organisations surveyed are drawing on a variety of control frameworks, such as NIST, ISO27001 and the Cloud Security Alliance Cloud Controls Matrix. One frequently used method is to start by using existing internal control frameworks and build on these by adding cloud-specific controls. The next step for companies should be to consolidate their controls, for example by embedding controls into tooling. This would reduce the manual effort to provide assurance and shift focus to more targeted continuous monitoring of controls.

Assessing cloud control design

Organisations typically provide their cloud service providers with supplier questionnaires and are typically directed to existing SOC2 reports for review, with the latter providing more reliable independent assurance around CSP controls. A key control is to reject the use of SaaS providers if they're not able to demonstrate that appropriate controls are in place.

Assessing cloud control operating effectiveness

Another theme is identifying the need to use automated controls to implement guardrails for cloud services. For example, using the cloud vendor’s recommended good practices, or using tailored blueprints and baselines, which are applied before a system goes live and monitored periodically thereafter.

Assessing cloud control monitoring

Organisations use tooling to help with maintaining compliant internal controls. Third-party assurance reports (eg, SOC2) are periodically reviewed by the organisations surveyed to understand shared responsibilities with cloud vendors and where gaps in controls need to be remediated. Nevertheless, these organisations have concerns about visibility and the inability to obtain real-time compliance from cloud service providers, rather than annual or semi-annual reports.

Trends in technology risks 2023
Internal auditors and technology risk functions need to know how to respond to the emerging areas of technology risks their businesses face.

Trends in technology risks 2023

Read this article

 

Practical steps across the lines of defence

When it comes to implementing cloud controls, a cloud assurance strategy and monitoring of cloud controls, there are practical steps that each line of defence can start to apply. Too much assurance can become a burden on the business, with a negligible increase in overall assurance and benefit to governance.

We recommend maintaining an assurance map that provides a point-in-time view of plans across the three lines of defence, and the overall status of activities and observations. This enables better visibility of the assurance being provided on a risk-by-risk basis and allows the relevant governance groups, including the Audit Committee, to make informed choices about whether the assurance is at the required level to meet the board’s risk appetite, including regulatory requirements.

First line of defence: operational management

  • Implementing cloud controls and standards that align with industry good practices, such as the Cloud Security Alliance's Cloud Controls Matrix (CCM) or the National Institute of Standards and Technology's (NIST) Cloud Computing Security Reference Architecture (CCSRA)
  • Engaging with cloud subject matter experts who can provide practical advice around implementing these frameworks and ensuring that controls are sustainable
  • Regularly reviewing and updating cloud environment configurations, access controls, and activity logs to ensure they are aligned with internal policies and objectives, with a view to move towards more automated controls
  • Conducting regular cloud training for employees and third-party contractors who have access to the company's cloud infrastructure, including security, resilience and shared responsibilities
  • Implementing controls to ensure that all new system implementations to public cloud environments follow a defined due diligence process, including input from security and technology functions
  • Agreeing clear roles and responsibilities, both internally and with vendors, for managing the cloud operations and controls

Second line of defence: risk management and compliance

  • Conducting risk assessments and impact analyses of cloud environments to determine priority and frequency of reviews for the controls in these environments
  • Regularly monitoring cloud environments for compliance with internal and regulatory requirements, and identifying areas for improvement
  • Engaging with cloud subject matter experts who understand the unique risks of each cloud service provider and can advise cloud control owners on how to tailor controls to address these
  • Collaborating with first-line management to develop and implement cloud controls that address identified risks and compliance gaps

Third line of defence: internal audit

  • Conducting independent assessments of cloud environments and controls to provide assurance to senior management and the board of directors
  • Augmenting audit teams with cloud subject matter experts who can provide challenge to technology functions on a peer-to-peer level around the design and effectiveness of cloud controls
  • Testing the effectiveness of cloud controls and maturing assurance activities with increased levels of control testing automation and dashboarding capabilities
  • Reviewing and evaluating third-party vendor risk management processes and controls related to cloud environments

 

Addressing the challenges

The rapid growth of cloud spend and adoption is set to continue, with organisations moving more applications to cloud infrastructure, including critical applications. At the same time, companies are facing challenges with cloud controls and assurance, such as inconsistent approaches across teams, cloud concentration risks, and lock-in with vendors.

To address these challenges, organisations need to adopt good practices across all three lines of defence. People are key enablers, therefore teams need to upskill around cloud risks and controls, and call on subject matter experts to provide in-depth, tailored insight and independent assurance for the chosen cloud solutions.

 

For more insight and guidance, contact Cristiana Mirosanu and Ian Greaves.

Heads of internal audit: technical updates and guidance to support your role

Get the latest insights, events and guidance, straight to your inbox.