Cloud computing is in the vanguard of a global digital transformation. This article looks at how to identify cloud computing opportunities and operationalize cloud activities. It also defines the stakeholders involved in the enterprises risk management strategy and shared responsibility model. Finally, the article provides advice on how to manage the disruption caused by the adoption of cloud computing.

***

A fourth Industrial Revolution is underway globally; a digital revolution driven by the rapid, wide-scale deployment of digital technologies, such as in high-speed mobile Internet capabilities, artificial intelligence (AI), and machine learning. Cloud computing is at the vanguard of this transformation. As a result, organizations of all sizes, sectors, and geographies have substantially and rapidly increased their use of cloud computing. According to Gartner (2019), more than one-third of organizations see cloud investments as a top-three priority. The public cloud services market is projected to reach a staggering $266 billion in 2020.

One driver in this proliferation and widespread use of cloud computing is the current digital transformation. In a 2016 address, Microsoft CEO Satya Nadella advanced this enduring description of digital transformation: becoming more engaged with their customers, empowering their employees, optimizing how they run their business operations and transforming the products and services they offer using digital content. Such benefits from a cloud computing perspective include managing and outsourcing costly and difficult-to-update and -manage in-house IT infrastructure; streamlining and scaling storage, software, and application support; increasing speed and processing; reducing costs. As a result, organizations of all sizes, geographies and sectors, including CPA firms and their clients, are developing their own private cloud or purchasing public cloud services from cloud service providers (CSP), such as Microsoft Azure and Amazon AWS.

While such potential benefits are compelling, market intelligence reveals that cloud computing exacerbates risks and creates new and unexpected risks. For example, a cloud security breach exposed the names, addresses, and account details of as many as 14 million U.S.-based Verizon customers. In this context, one can only imagine the potential cloud-related cybersecurity breaches and service failures that may emerge from the unexpected disruption and rapid transformation to remote working caused by the current coronavirus (COVID-19) pandemic. On the one hand, workers unexpectedly transitioning to remote working have been enabled in part by cloud computing to immediately, rapidly, and seamlessly access necessary data, software, and applications. On the other hand, such an unanticipated disruption and rapid transformation has exacerbated existing risks and created new risks as workers access data from remote locations; for example, breaches in data confidentiality, unauthorized access, and system availability failures.

This disruptive cloud paradigm raises questions from the corporate boards, managers, regulators, and assurance providers concerning cloud strategy, performance, risks, and controls. Such questions include: the scope and location of cloud activities; the implications of dependency on a web of cloud solution provider (CSP) vendors; reputation, intellectual property, financial statement and market trust vulnerabilities; global jurisdiction regulatory compliance; as well as the adequacy of risk management, cybersecurity, audit, and change management. This article looks at cloud computing opportunities, risks, and resiliency strategies, including enterprise risk management, CPA firm assurance, and change management.

The National Institute of Standards and Technology (NIST) defines cloud computing as a means for enabling on-demand access to shared pools of configurable computing resources (e.g., networks, servers, storage applications, services) that can be rapidly provisioned and released. In simple terms, the cloud is a massive cluster of super-sized servers housed in locations scattered around the globe (i.e., cloud farms). Cloud farms are operated by CSP vendors such as Amazon AWS; these vendors provide a range of hosting services.

Some organizations are adopting a cloud-first strategy for new systems or when replacing systems. Popular cloud deployment models include private clouds, public clouds, hybrid clouds, and community clouds;Exhibit 1defines each model. Popular CSP cloud services include Infrastructure as a Service (IaaS), Software as a Service (SaaS), and Platform as a Service (PaaS);Exhibit 2defines each service. Pay-as-you-go (i.e., when customers are billed based on their levels of usage) is a popular pricing model.

Cloud Computing Services Deployment Models, per NIST

Three Primary Models of Cloud Services, per NIST

Cloud computing also changes organizations. According to Deloitte (2020), Executives extend the enterprise every time they use a cloud service, outsource a business process, or otherwise spread operations beyond the traditional four walls of their organization. In a cloud computing context, this extended enterprise creates a complex web of distributed, interconnected, and interdependent shared-responsibility participants, including employees (i.e., first party), customers (i.e., second party), vendors, and their hired subcontractors (i.e., third, fourth, and fifth parties).Exhibit 3depicts this web of extended relationships.

Extended Enterprise: Web of Data Sharing and Cloud Computing

The cloud also democratizes and decentralizes IT activitiesthat is, non-IT employees are capable of developing applications and given the authority to contract directly with CSPs outside of the centralized IT procurement process.

Cloud-driven changes, such as the following, also impact the CFO organization.

The cloud also exacerbates existing risks, creates new and unexpected risks, and stretches the limits of governance, risk management, cybersecurity, internal audit, assurance, and change management. For CPA firms and their clients, this cloud disruption requires a what-can-go-wrong analysis.

As far back as 2013, McKinsey warned, Large institutions, which have many types of sensitive information to protect and many cloud solutions to choose from, must balance potential benefits against, for instance, risks of breaches of data confidentiality, identity and access integrity, and system availability. More recently, IDC (2018) reported that 50% of security professionals spend most of their time securing the cloud. In 2019, the Cloud Security Alliance (CSA) advanced their top-11 cloud security threats.Exhibit 4presents the CSAs 11 threats.

Cloud Security Alliance (CSA) Top 11 Threats to Cloud Computing (2019)

In spite of such warnings, recent cloud-breaches such as the following continue to emerge:

In 2019, Gartner advanced the following predictions concerning cloud security:

The wave of breaches suggests cloud computing is risky; exacerbating risks (i.e., known-knowns), creating new risks (unknown-knowns), and unforeseeable risks (unknown-unknowns). For example, consider the following service availability and cyber-risks associated with the geographic location of cloud servers a company is relying on:

Sector-level regulations will play an important role in contributing to addressing such risks. For example, a customized set of standards has been developed under the umbrella of the U.S. Federal Risk and Authorization Management Program (FedRAMP) to authorize the use of cloud services. HIPAA regulations that focus on governing cloud resources offered by a CSP are another sector example. The HIPAA Privacy, Security, and Breach Notification Rules establish important protections for individually identifiable health information when created, received, maintained, or transmitted by a HIPAA-covered entity or business associate (e.g., a CSP). For example, CSP-related SLAs should include provisions that address HIPAA-related requirements, including system availability and reliability; backup and data recovery; the manner in which data will be returned to customers after service use termination and security responsibility; and use, retention, and disclosure limitations.

Regulatory compliance alone will not suffice. To mitigate risk, an organization should conduct a holistic, enterprise-wide what-can-go-wrong analysis, including an analysis of cyber-security risks and a single-point-of-failure risk analysis associated with their cloud ecosystem. A what-can-go-wrong analysis posits the question: Are CPA firms and their clients prepared to respond to cloud risks?

Cloud computing disrupts organizations, calling into question its impact on governance, compliance, risk management, cybersecurity, audit and change management.

The KPMG Audit Committee Institute highlighted understanding technologys impactwith a reference to cloud computingas one of their seven items to consider for the audit committees 2020 agenda. In this context, an organization needs transparency into the nature, scope, and location of CSP vendors and the performance of their cloud activities. The board, senior management, and CPAs should ask the following questions:

While these questions may seem fundamental, market intelligence suggests that some organizations are unclear about the nature, scope, and locations of their cloud activities.

One reason for this is shadow IT activities. This refers to empowered employees scattered throughout the organization that are adopting cloud services under the radar of the IT department. According to Gartner, most organizations grossly understate the number of shadow IT applications already in use. A continuously updated inventory of the current state of organization-wide cloud activities is essential for conducting a holistic analysis of cloud performance and risk.

The linkage of objectives and risks is a foundational premise of enterprise risk management (ERM) frameworks. The International Organization for Standardization (ISO) defines risk as effect of uncertainty on objectives. For cloud computing, such objectives may include privacy, availability, productivity, reliability, compliance, cost transparency, and cost savings. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) ERM framework, Enterprise Risk Management Integrating Strategy with Performance,DNS:https://www.coso.org/Documents/2017-COSOERM-Integrating-with-Strategy-and-Performance-Executive-Summary.pdfmakes explicit the linkage of performance objectives and risk.

An ERM approach can also contribute to cyber-resiliency; the ability to rapidly and fully recovery from system failures and security breaches. In a 2020 financial service industry report, Thomson Reuters identified cyber-resiliency as a key regulatory risk, asserting that, senior individuals need to ensure cyber-risks are expressly included in the range of risks considered, and the board is prepared to discuss the actions taken to ensure all possible has been done to embed cyber-resilience throughout the firm. The organizations incident response plan, including plans for incident-handling and information-spilling response, should be an integral part of cyber-security policy and an ERM analysis. In summary, an ERM analysis that integrates cloud computing can contribute to cloud performance; managing cloud risk; rapid, timely, and proper incident response; change management; and resiliency.

An ERM analysis will also assist CPA firms and other assurance providers with identifying and assessing risks and controls, as well as the nature, timing, and extent of audit and attestation procedures selected.Exhibit 5presents an example of ERM analysis.

Sample Enterprise Risk Management (ERM): Cloud Risk Analysis

Cloud computing is disrupting CPA firms, their clients, and the traditional norms of the external audit and quality control. In its 20202021 Strategy Plan, the AICPA Auditing Standards Board (ASB) addressed this issue: Rapid developments in technologies are having a profound effect on audit and assurance engagements, including the use of automated tools and techniques and changes in how engagement teams are structured and interact. In Initiative D: Keep our standards relevant in a changing environment, the ASB commits to monitoring the use of innovative technologies and determining whether the standards in place for the acceptance of clients and service performance are appropriate.

Cloud computing impacts CPA assurance providers in a range of waysfor example, obtaining an understanding of the audit clients cloud environment; identifying and assessing risks of material misstatement (RMM); defining the role to be served by System Organization Control (SOC) reports; assessing the impact of the clients and the firms cloud computing activities on the firms compliance with GAAS Quality Control (QC) Standards.

Audit clients are increasingly moving some or all of their accounting systems and financial statement data to public clouds. This cloud transition introduces complexity, disruption, and risk.

For example, a cloud computing environment often integrates third-party CSPs and potentially fourth-party sub-contracted CSPs (Exhibit 3) into the clients accounting system and control environment. Such a complex web of CSPs results in shared responsibilities between the client and CSPs for financial accounting data, cybersecurity, internal controls over financial reporting (ICFR), service organizations control (SOC) reporting, and assurance services.

Such material changes to the control environment and accounting system require auditors to obtain an understanding of the companys environment and risks as a basis for assessing the risk of material misstatement (RMM) of the financial statements, as prescribed by PCAOB Auditing Standard (AS) 2110.

A prudent starting point for obtaining a preliminary understanding of a companys cloud environment and risks is the analysis of the inventory of audit client cloud activities, including the nature and extent of third- and fourth-party CSP vendors and any material changes in such arrangements during the period under audit. The audit client will be the primary source for obtaining an understanding of the current state of the cloud. Market intelligence suggests, however, that some organizations may not have an up-to-date current state analysis of its cloud activities. If documentation does not exist, this will impact (i.e., increase) RMM and may require additional audit procedures (e.g., walkthroughs), specialized cloud audit skills, and higher audit fees.

SOC for Service Organizations are internal control reports on the third-party services provided by an outsourcing service organization (e.g., CSP). AICPA SOC Reports are subject to standards AT-C section 320 and SSAE 18. The following SOC Reports are available in this category: SOC 1, SOC 2, SOC 3, and SOC for Cybersecurity.Exhibit 6defines each report.

Exhibit 6 Types of AICPA SOC Reports

For audit clients with material cloud computing operations, the selection of report type, as well as the right to conduct such services will be based upon a range of factors, including the type of the assurance service and the audit clients cloud footprint, as well as the web of third- and fourth-party CSP vendors and shared control responsibility agreements and the terms of service-level agreements (SLA) with CSPs.

One of the six elements of the AICPA quality control (QC) standards deals with client acceptance and retention, requiring consideration of whether the CPA firm is competent to perform the engagement and has the capabilities, including time and resources, to do so. Another element is associated with human resources, requiring the CPA firm have sufficient personnel with the competence and capabilities to perform engagements in accordance with professional standards and applicable legal and regulatory requirements. To comply with these QC audit standards in a cloud computing assurance engagement, CPA firms will need to assess the demand for, and timely availability of, the necessary specialized skills.

Another important element of the AICPA QC standards covers new client acceptance and retention of existing clients. Such QC considerations include the following:

A CPA firm will need to make selective changes to accept cloud computing-related engagements, such as training staff, securing subject experts, and protecting the privacy of client data accessed through the client and their CSP clouds and stored on the CPA firms clouds.

The emergence of cloud computing and the incipient digital transformation of business is having a profound impact on the traditional techniques and services provided by CPA firms. Organizations adopting or leveraging cloud computing should obtain a continuous update of their inventory of cloud activities, including the nature, scope, and locations of their cloud activities; conduct a holistic, enterprise-wide, what-can-go-wrong analysis, including cybersecurity risks and single-point-of-failure risks associated with their cloud ecosystem; and perform an analysis of cloud computing resiliency, including an ERM analysis of cloud performance, security risk, and change management risk. CPA firms adapting to digital disruption and transformation must obtain an understanding of the implications of cloud computing on their clients business and control environment; analyze risks of material misstatement and cybersecurity risks; assess cloud controls; and manage cloud-informed changes to the CPA firms QC processes and compliance.

Meredith Stein, CPA, leads the NIH Risk Management Program at the National Institutes of Health (NIH), Bethesda, Md. The views expressed are her own and do not necessarily represent the views of the NIH or the United States Government. She began her career with KPMG.

Vincent Campitelli, CPA, is a consultant to the office of the president of the Cloud Security Alliance (CSA) Seattle, Wash., serving as an enterprise security specialist with a focus on cloud computing. He is formerly a partner of PricewaterhouseCoopers.

Steven Mezzio, PhD, CPA, CISA, CISSP, FSAI, is a professor of accounting and the executive director of the Center for Excellence in Financial Reporting for the Pace University Lubin School of Business. He is also a former partner with PricewaterhouseCoopers.

Read this article:

Managing the Impact of Cloud Computing - The CPA Journal