- Reporting entities are increasingly moving their financial systems to the cloud
- Cloud computing won’t change the nature of audit evidence required, but it can change the availability of evidence
- Assurance teams need to ensure internal controls are strong – and understand the implications of auditing in the cloud
Robert Zaher is Associate Director - Technology Risk, KPMG
Increasingly, our audit clients are moving their key financial and operational systems to the cloud. The cloud offers many benefits: it allows hosting and software solutions that are more dependable, economical and useful than those implemented in-house. But moving to the cloud is a major change to the IT environment and it may result in significant changes in the risks to the availability, confidentiality and integrity of our clients' information. When the IT environment and its risks change, as auditors we need to understand the changes and how they can affect the financial audit.
Understand the environment
'Cloud' comes in many flavours. Typically these include: SaaS (software as a service), PaaS (platform as a service) or IaaS (infrastructure as a service). The difference is the scope of what is outsourced to the service provider (software, platform, or infrastructure). This also determines who is responsible for implementing and operating the controls: the service provider or audit client. We need a full understanding of the information flows and the architecture of the cloud solution to know where to find our audit evidence. And we must remember that although responsibility for performing IT controls can be outsourced, accountability always remains with our audit client.
We should seek to identify all systems that may be relevant to the financial audit, including any operational and financial systems; whether they are in the cloud or on-site; and the interfaces that relay information between them.
Determine audit impact
Once we understand the systems that are relevant to the audit, we need to consider the risks to the information that management relies on to make financial statement assertions. Even if the audit team is not seeking to rely on the effectiveness of general IT controls and automated application controls, it is still important to consider the reliability of the audit evidence itself. Moving to the cloud can introduce risks with the integrity of data, the accuracy of reports, susceptibility to fraud or cyber attack, segregation of duties, the availability of records, and even compliance.
Integrity of data
The integrity of our clients' data is critical, because the data drives key decisions by management, regulators and investors. Inappropriate access controls and permissions can allow hackers and internal fraudsters to compromise data. But we must consider more than just user access: for example, faulty interfaces between systems can also corrupt data, as can bad program coding. To have confidence in the data, we need confidence in the controls surrounding it, and it is not always easy to gain this confidence where cloud service providers perform these controls.
Even if there are no concerns about the integrity of the data, management and auditors rely on accurately coded reports to extract this data. Again, controls are needed to ensure that reports are extracting the right data and that the reports themselves are not used to perpetrate and conceal fraud.
"The reality is that sometimes we just can't get the level of assurance we were able to get before the client's cloud adoption."
Segregation of duties
We consider segregation of duties both in an IT context (such as developers not having access to introduce unauthorised changes to a production environment) and in the traditional financial process context. When considering segregation of duties, we need to consider all the systems a user has access to. With little audit evidence recorded on paper these days, we often find ourselves reconciling data from different systems to gain comfort in its accuracy. But even if the systems are not connected, and even if they are in the cloud, if the employee or hacker with bad intent has access to more than one system, they could perpetrate fraud and conceal their tracks.
When audit evidence lives in the cloud, just like when it is on-site, we need to consider whether it will be available when needed. Our audit clients should seek to understand the backup arrangements their cloud provider offers, the provider's business continuity and disaster recovery plans, and the guarantees provided in the supplier contract for the availability of the information. Many organisations believe that backup and recovery comes standard with a cloud service, but sometimes it is an option one needs to select (and pay extra for). As auditors we need to make sure that audit evidence will be available across the entire audit period. With cloud and outsourced solutions, this is not always guaranteed.
How do we get assurance then?
Unfortunately, the level of audit evidence we require doesn't change when our clients put their systems in the cloud. To get the confidence over controls we need, we need to be able to either audit the cloud service provider's controls to the same level as we would the client's own controls, or rely on an independent report from a reputable auditor. Independent audit reports are becoming more commonplace, but many cloud service providers still do not have them (or could not pass an audit).
The reality is that sometimes we just can't get the level of assurance we were able to get before the client's cloud adoption. In some cases, cloud adoption can affect our overall audit opinion.
So where should we focus our efforts? As auditors, we can emphasise to our clients' management the importance of identifying the risks of adopting cloud technologies, and encourage them to look carefully into the controls of their cloud providers before committing to a cloud service. And we can also encourage cloud service providers (some of whom may be our clients as well) to obtain independent assurance reports. Finally, for our part, we need to seek out the skills and expertise we need to responsibly evaluate cloud risks and third-party assurance reports.
Cloud computing can have significant benefits for our audit clients, but they must make sure there are robust internal controls in place, regardless of where their data lives or who has immediate control over it. And we need to make sure we know how to audit in the cloud.