In Brief

Thank you for reading this post, don't forget to subscribe!

Cloud computing is in the vanguard of a global digital transformation. This article looks at how to identify cloud computing opportunities and operationalize cloud activities. It also defines the stakeholders involved in the enterprise’s risk management strategy and shared responsibility model. Finally, the article provides advice on how to manage the disruption caused by the adoption of cloud computing.

***

A fourth Industrial Revolution is underway globally; a digital revolution driven by the rapid, wide-scale deployment of digital technologies, such as in high-speed mobile Internet capabilities, artificial intelligence (AI), and machine learning. Cloud computing is at the vanguard of this transformation. As a result, organizations of all sizes, sectors, and geographies have substantially and rapidly increased their use of cloud computing. According to Gartner (2019), more than one-third of organizations see cloud investments as a top-three priority. The public cloud services market is projected to reach a staggering $266 billion in 2020.

One driver in this proliferation and widespread use of cloud computing is the current digital transformation. In a 2016 address, Microsoft CEO Satya Nadella advanced this enduring description of digital transformation: “becoming more engaged with their customers, empowering their employees, optimizing how they run their business operations and transforming the products and services they offer using digital content.” Such benefits from a cloud computing perspective include managing and outsourcing costly and difficult-to-update and -manage in-house IT infrastructure; streamlining and scaling storage, software, and application support; increasing speed and processing; reducing costs. As a result, organizations of all sizes, geographies and sectors, including CPA firms and their clients, are developing their own private cloud or purchasing public cloud services from cloud service providers (CSP), such as Microsoft Azure and Amazon AWS.

While such potential benefits are compelling, market intelligence reveals that cloud computing exacerbates risks and creates new and unexpected risks. For example, a cloud security breach exposed the names, addresses, and account details of as many as 14 million U.S.-based Verizon customers. In this context, one can only imagine the potential cloud-related cybersecurity breaches and service failures that may emerge from the unexpected disruption and rapid transformation to remote working caused by the current coronavirus (COVID-19) pandemic. On the one hand, workers unexpectedly transitioning to remote working have been enabled in part by cloud computing to immediately, rapidly, and seamlessly access necessary data, software, and applications. On the other hand, such an unanticipated disruption and rapid transformation has exacerbated existing risks and created new risks as workers access data from remote locations; for example, breaches in data confidentiality, unauthorized access, and system availability failures.

This disruptive cloud paradigm raises questions from the corporate boards, managers, regulators, and assurance providers concerning cloud strategy, performance, risks, and controls. Such questions include: the scope and location of cloud activities; the implications of dependency on a web of cloud solution provider (CSP) vendors; reputation, intellectual property, financial statement and market trust vulnerabilities; global jurisdiction regulatory compliance; as well as the adequacy of risk management, cybersecurity, audit, and change management. This article looks at cloud computing opportunities, risks, and resiliency strategies, including enterprise risk management, CPA firm assurance, and change management.

The Cloud’s Impact

The National Institute of Standards and Technology (NIST) defines cloud computing as a means for enabling on-demand access to shared pools of configurable computing resources (e.g., networks, servers, storage applications, services) that can be rapidly provisioned and released. In simple terms, the cloud is a massive cluster of super-sized servers housed in locations scattered around the globe (i.e., cloud farms). Cloud farms are operated by CSP vendors such as Amazon AWS; these vendors provide a range of hosting services.

Some organizations are adopting a cloud-first strategy for new systems or when replacing systems. Popular cloud deployment models include private clouds, public clouds, hybrid clouds, and community clouds; Exhibit 1 defines each model. Popular CSP cloud services include Infrastructure as a Service (IaaS), Software as a Service (SaaS), and Platform as a Service (PaaS); Exhibit 2 defines each service. Pay-as-you-go (i.e., when customers are billed based on their levels of usage) is a popular pricing model.

Exhibit 1

Cloud Computing Services Deployment Models, per NIST

Cloud Deployment Model; Description Single and Multi-Public Cloud • Available to the public • Owned and operated by a third-party CSP Single and Multi-Private Cloud; • Set up for one organization, Almay; involves multiple customers within that organization • May be on or off premises Community Cloud; • Available to the public • Shared by several organizations and supports a specific community that has shared requirements • May be managed by the organizations or a third party • May exist on or off premises Hybrid Cloud; • A composite of two or more of the three deployment models (private, community, or public) • Bound together by technology that enables data and application portability CSP =cloud service provider; NIST, National Institute of Standards and Technology

Exhibit 2

Three Primary Models of Cloud Services, per NIST

Infrastructure as a service (IaaS); The CSP delivers and manages the basic computing infrastructure of servers, software, storage, and network equipment. Platform as a service (PaaS); The CSP delivers and manages the infrastructure, operating system, and programming tools and services, which the client can use to create applications. Software as a service (SaaS); The CSP delivers one or more applications and all the resources (operating system and programming tools) and underlying infrastructure, which the client can use on demand. CSP =cloud service provider; NIST, National Institute of Standards and Technology

Cloud computing also changes organizations. According to Deloitte (2020), “Executives extend the enterprise every time they use a cloud service, outsource a business process, or otherwise spread operations beyond the traditional four walls of their organization.” In a cloud computing context, this “extended enterprise” creates a complex web of distributed, interconnected, and interdependent shared-responsibility participants, including employees (i.e., first party), customers (i.e., second party), vendors, and their hired subcontractors (i.e., third, fourth, and fifth parties). Exhibit 3 depicts this web of extended relationships.

Exhibit 3

Extended Enterprise: Web of Data Sharing and Cloud Computing

The cloud also democratizes and decentralizes IT activities—that is, non-IT employees are capable of developing applications and given the authority to contract directly with CSPs outside of the centralized IT procurement process.

Cloud-driven changes, such as the following, also impact the CFO organization.

  • Accounting—FASB issued Accounting Standards Update 2018-15, Intangibles—Goodwill and Other—Internal-Use Software (Subtopic 350-40): Customer’s Accounting for Implementation Costs Incurred in a Cloud Computing Service Arrangement that is a Service Contract, to provide guidance on accounting for cloud computing arrangements.
  • Tax—States are issuing and updating regulations on the taxability of CSP vendor transactions.
  • Compliance with Regulations (e.g., Health Insurance Portability and Accountability Act [HIPAA], Sarbanes-Oxley Act [SOX])—The use of CSPs creates a shared-responsibility model, requiring a contractual definition of responsibilities for controls and assurance rights.

The cloud also exacerbates existing risks, creates new and unexpected risks, and stretches the limits of governance, risk management, cybersecurity, internal audit, assurance, and change management. For CPA firms and their clients, this cloud disruption requires a what-can-go-wrong analysis.

The Dark Side of the Cloud?

As far back as 2013, McKinsey warned, “Large institutions, which have many types of sensitive information to protect and many cloud solutions to choose from, must balance potential benefits against, for instance, risks of breaches of data confidentiality, identity and access integrity, and system availability.” More recently, IDC (2018) reported that 50% of security professionals spend most of their time securing the cloud. In 2019, the Cloud Security Alliance (CSA) advanced their top-11 cloud security threats. Exhibit 4 presents the CSA’s 11 threats.

Exhibit 4

Cloud Security Alliance (CSA) Top 11 Threats to Cloud Computing (2019)

1; Data breaches; 6; Insider threats 2; Misconfiguration and inadequate change control; 7; Insecure interfaces and application programming interfaces (APIs) 3; Lack of cloud security architecture and strategy; 8 Weak control plan 4; Insufficient identity, credential, access and key management; 9; Metastructure and applistructure failures 5; Account hijacking; 10; Limited cloud usage visibility 11; Abuse and nefarious use of cloud services

In spite of such warnings, recent cloud-breaches such as the following continue to emerge:

  • Capital One—Exposed 80,000 bank accounts and over 1 million government identification numbers
  • Facebook—Exposed 540,000 records (identification numbers, account names, likes, and comments)
  • Instagram—Exposed 49 million records linked to private data such as e-mail addresses.

In 2019, Gartner advanced the following predictions concerning cloud security:

  • Through 2024, the majority of enterprises will continue to struggle with measuring cloud security risks.
  • Through 2025, 90% of the organizations that fail to control public cloud use will inappropriately share sensitive data.
  • Through 2025, 99% of cloud security failures will be the customer’s fault.

The wave of breaches suggests cloud computing is risky; exacerbating risks (i.e., known-knowns), creating new risks (unknown-knowns), and unforeseeable risks (unknown-unknowns). For example, consider the following service availability and cyber-risks associated with the geographic location of cloud servers a company is relying on:

  • Source of power—who owns it, distributes it?
  • Staffing—impact of unexpected events (e.g., pandemic); are the CSPs prepared?
  • Security of access, including espionage—who has internal access to files?
  • Hardened sites against radioactive dissemination—where is the backup, and is it accessed via satellite or underwater cable?
  • Human error, such as comingling of information, data dumps, and cleansing; how are such risks managed?

Sector-level regulations will play an important role in contributing to addressing such risks. For example, a customized set of standards has been developed under the umbrella of the U.S. Federal Risk and Authorization Management Program (FedRAMP) to authorize the use of cloud services. HIPAA regulations that focus on governing cloud resources offered by a CSP are another sector example. The HIPAA Privacy, Security, and Breach Notification Rules establish important protections for individually identifiable health information when created, received, maintained, or transmitted by a HIPAA-covered entity or business associate (e.g., a CSP). For example, CSP-related SLAs should include provisions that address HIPAA-related requirements, including system availability and reliability; backup and data recovery; the manner in which data will be returned to customers after service use termination and security responsibility; and use, retention, and disclosure limitations.

Regulatory compliance alone will not suffice. To mitigate risk, an organization should conduct a holistic, enterprise-wide what-can-go-wrong analysis, including an analysis of cyber-security risks and a single-point-of-failure risk analysis associated with their cloud ecosystem. A what-can-go-wrong analysis posits the question: Are CPA firms and their clients prepared to respond to cloud risks?

Enterprise Risk Management Perspectives

Cloud computing disrupts organizations, calling into question its impact on governance, compliance, risk management, cybersecurity, audit and change management.

Cloud transparency.

The KPMG Audit Committee Institute highlighted “understanding technology’s impact”—with a reference to cloud computing—as one of their seven items to consider for the audit committee’s 2020 agenda. In this context, an organization needs transparency into the nature, scope, and location of CSP vendors and the performance of their cloud activities. The board, senior management, and CPAs should ask the following questions:

  • What is our enterprise-wide cloud footprint?
    • Do we have an inventory of cloud activities?
    • Where are our servers, software, and applications?
  • Who is responsible and accountable for cybersecurity, system recovery, and controls?
    • Is there a heat-map valuing data stored in private and public clouds, by location?
    • Are shared-responsibilities for performance, availability, cybersecurity, and third-party assurance clearly defined and formalized in a service level agreement (SLA)?
    • Which global jurisdiction regulations are we subject to?
    • Do management, the board, CSPs, and auditors understand cloud risks?
    • What are the CSP contractual requirements and SLA terms and commitments?
  • Who is accessing our data, and why? Can they see our draft 10-K and trade secrets?
    • Do our primary CSPs subcontract our cloud needs to other CSP subcontractors (i.e., third- and fourth-party risk)?
    • Are other jurisdictions accessing our data and surveilling our activities?
    • Do accountants, lawyers, and other vendors safeguard access and storage of our data?
  • Is shared responsibility for risk management strategy, methods, and skills designed properly and operating effectively?
    • Are we monitoring breaches and system failures on a continuous basis?
    • Are stakeholders effective and accountable to those who share responsibility for governance?
    • Are we conducting a top-down enterprise risk management assessment?

While these questions may seem fundamental, market intelligence suggests that some organizations are unclear about the nature, scope, and locations of their cloud activities.

One reason for this is “shadow” IT activities. This refers to empowered employees scattered throughout the organization that are adopting cloud services under the radar of the IT department. According to Gartner, most organizations grossly understate the number of shadow IT applications already in use. A continuously updated inventory of the current state of organization-wide cloud activities is essential for conducting a holistic analysis of cloud performance and risk.

Cloud computing and ERM.

The linkage of objectives and risks is a foundational premise of enterprise risk management (ERM) frameworks. The International Organization for Standardization (ISO) defines risk as “effect of uncertainty on objectives.” For cloud computing, such objectives may include privacy, availability, productivity, reliability, compliance, cost transparency, and cost savings. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) ERM framework, Enterprise Risk Management Integrating Strategy with Performance, DNShttps://www.coso.org/Documents/2017-COSOERM-Integrating-with-Strategy-and-Performance-Executive-Summary.pdf makes explicit the linkage of performance objectives and risk.

An ERM approach can also contribute to “cyber-resiliency”; the ability to rapidly and fully recovery from system failures and security breaches. In a 2020 financial service industry report, Thomson Reuters identified cyber-resiliency as a key regulatory risk, asserting that, “senior individuals need to ensure cyber-risks are expressly included in the range of risks considered, and the board is prepared to discuss the actions taken to ensure all possible has been done to embed cyber-resilience throughout the firm.” The organization’s incident response plan, including plans for incident-handling and information-spilling response, should be an integral part of cyber-security policy and an ERM analysis. In summary, an ERM analysis that integrates cloud computing can contribute to cloud performance; managing cloud risk; rapid, timely, and proper incident response; change management; and resiliency.

An ERM analysis will also assist CPA firms and other assurance providers with identifying and assessing risks and controls, as well as the nature, timing, and extent of audit and attestation procedures selected. Exhibit 5 presents an example of ERM analysis.

Exhibit 5

Sample Enterprise Risk Management (ERM): Cloud Risk Analysis

Assessment Risk; Likelihood; Impact; Possible Risk Response If an organization does not invest in, adequately implement, and maintain cloud computing to meets its business needs, then innovations and efficiencies in operations may not be achieved.; Medium; High; ▪ Formalize terms of cloud services with a Service Level Agreement (SLA) to document roles and shared responsibilities between the organization and cloud service provider (CSP) vendor. ▪ Perform due-diligence before entering into an SLA with a third-party cloud service provider (CSP) vendor. If stakeholders subvert the initiative to use cloud computing, then the change may not be universally and properly adopted.; Medium; Medium; ▪ Dedicate a team of change management specialists to the change initiative ▪ Understand how to engage stakeholders, manage their expectations, and facilitate accountability and responsibility ▪ Assess the change readiness of stakeholders ▪ Communicate the importance of the change, time frames, and responsibilities of stakeholders ▪ Develop training and provide stakeholder assistance If there is a failure to safeguard personally identifiable information that results in a breach/incident, then there will be an adverse impact on the business and the individuals whose information was compromised.; Low; High; Establish cybersecurity policies and procedures, conduct annual IT audits, and require employees to complete security awareness training. If the organization is unaware of the full inventory of cloud services being used, critical weaknesses may go undetected and data may be subject to theft, exploitation, and manipulation.; High; High; Conduct an assessment to determine the full inventory of cloud services. If an SLA with CSP does not exist or does not specify terms related to data rights, data usage, or vendor lock-in, then an organization may be at risk of not efficiently managing cloud services and expenses.; Medium; Medium; Require the CSP to provide cost calculation tools and data usage monitoring services. Document data ownership rights and the ability to retrieve data from CSP upon term end. If an SLA with CSP does not specify terms related to oversight, accountability, and monitoring, then the organization is unaware of the adequacy of a third-party CSP's risk management practices; High; High; Describe role of CSP to monitor subcontractors providing fourth-party cloud services. Define whether data stored on CSP servers must be located in the United States. Document roles, responsibilities, nature, timing, scope, and frequency of internal audit and third-party (e.g., CPA firm) assurance.

CPA Firm Perspectives

Cloud computing is disrupting CPA firms, their clients, and the traditional norms of the external audit and quality control. In its 2020–2021 Strategy Plan, the AICPA Auditing Standards Board (ASB) addressed this issue: “Rapid developments in technologies are having a profound effect on audit and assurance engagements, including the use of automated tools and techniques and changes in how engagement teams are structured and interact.” In Initiative D: “Keep our standards relevant in a changing environment,” the ASB commits to monitoring the use of innovative technologies and determining whether the standards in place for the acceptance of clients and service performance are appropriate.

Cloud computing impacts CPA assurance providers in a range of ways—for example, obtaining an understanding of the audit client’s cloud environment; identifying and assessing risks of material misstatement (RMM); defining the role to be served by System Organization Control (SOC) reports; assessing the impact of the client’s and the firm’s cloud computing activities on the firm’s compliance with GAAS Quality Control (QC) Standards.

Client environment and the risk of material misstatement.

Audit clients are increasingly moving some or all of their accounting systems and financial statement data to public clouds. This cloud transition introduces complexity, disruption, and risk.

For example, a cloud computing environment often integrates third-party CSPs and potentially fourth-party sub-contracted CSPs (Exhibit 3) into the client’s accounting system and control environment. Such a complex web of CSPs results in shared responsibilities between the client and CSPs for financial accounting data, cybersecurity, internal controls over financial reporting (ICFR), service organizations control (SOC) reporting, and assurance services.

Such material changes to the control environment and accounting system require auditors to obtain an understanding of the company’s environment and risks as a basis for assessing the risk of material misstatement (RMM) of the financial statements, as prescribed by PCAOB Auditing Standard (AS) 2110.

A prudent starting point for obtaining a preliminary understanding of a company’s cloud environment and risks is the analysis of the inventory of audit client cloud activities, including the nature and extent of third- and fourth-party CSP vendors and any material changes in such arrangements during the period under audit. The audit client will be the primary source for obtaining an understanding of the current state of the cloud. Market intelligence suggests, however, that some organizations may not have an up-to-date current state analysis of its cloud activities. If documentation does not exist, this will impact (i.e., increase) RMM and may require additional audit procedures (e.g., walkthroughs), specialized cloud audit skills, and higher audit fees.

SOC Reports in a cloud environment.

SOC for Service Organizations are internal control reports on the third-party services provided by an outsourcing service organization (e.g., CSP). AICPA SOC Reports are subject to standards AT-C section 320 and SSAE 18. The following SOC Reports are available in this category: SOC 1, SOC 2, SOC 3, and SOC for Cybersecurity. Exhibit 6 defines each report.

Exhibit 6

Exhibit 6 Types of AICPA SOC Reports

SOC 1; SOC for Service Organizations; Used by auditors to gain an understanding of ICFR and assess the impact on the audit of financial statements. Type 1: focuses on the design of internal controls Type 2: focuses on both the design and operating effectiveness of internal controls SOC 2; SOC for Service Organizations: Trust Services Criteria; Controls at a service organization relevant to security, availability, and processing integrity of the systems used to process users' data and the confidentiality and privacy of the information processed by these systems. Type 1: focuses on the design of internal controls Type 2: focuses on both the design and operating effectiveness of internal controls SOC 3; SOC for Service Organizations: Trust Services Criteria for General Use Report; In substance, a lean version of a SOC 2 SOC for Cybersecurity; SOC for Cybersecurity Risk Management; A newer reporting framework that facilitates reporting on a service organization's enterprise-wide cybersecurity risk management program ICFR =Internal Control over Financial Reporting

For audit clients with material cloud computing operations, the selection of report type, as well as the right to conduct such services will be based upon a range of factors, including the type of the assurance service and the audit client’s cloud footprint, as well as the web of third- and fourth-party CSP vendors and shared control responsibility agreements and the terms of service-level agreements (SLA) with CSPs.

CPA firm QC.

One of the six elements of the AICPA quality control (QC) standards deals with client acceptance and retention, requiring consideration of whether the CPA firm is “competent to perform the engagement and has the capabilities, including time and resources, to do so.” Another element is associated with human resources, requiring the CPA firm have “sufficient personnel with the competence and capabilities to perform engagements in accordance with professional standards and applicable legal and regulatory requirements.” To comply with these QC audit standards in a cloud computing assurance engagement, CPA firms will need to assess the demand for, and timely availability of, the necessary specialized skills.

Another important element of the AICPA QC standards covers new client acceptance and retention of existing clients. Such QC considerations include the following:

  • Client cloud security breach risk and the impact on CPA firm reputational risk
  • Cost and pricing of services that inherently demand more time and specialized skills
  • Challenges associated with timely and complete access to audit evidence controlled by third- and fourth-party CSPs
  • Engagement teams have timely access to the necessary specialized competencies in cloud computing, including industry- and geography-specific regulations
  • The ability to safeguard client data stored in the firm’s cloud that has been accessed through the client’s cloud and from the client’s CSPs.

A CPA firm will need to make selective changes to accept cloud computing-related engagements, such as training staff, securing subject experts, and protecting the privacy of client data accessed through the client and their CSP clouds and stored on the CPA firm’s clouds.

Resources

Cloud Computing

Adapting to Digital Transformation

The emergence of cloud computing and the incipient digital transformation of business is having a profound impact on the traditional techniques and services provided by CPA firms. Organizations adopting or leveraging cloud computing should obtain a continuous update of their inventory of cloud activities, including the nature, scope, and locations of their cloud activities; conduct a holistic, enterprise-wide, what-can-go-wrong analysis, including cybersecurity risks and single-point-of-failure risks associated with their cloud ecosystem; and perform an analysis of cloud computing resiliency, including an ERM analysis of cloud performance, security risk, and change management risk. CPA firms adapting to digital disruption and transformation must obtain an understanding of the implications of cloud computing on their clients’ business and control environment; analyze risks of material misstatement and cybersecurity risks; assess cloud controls; and manage cloud-informed changes to the CPA firm’s QC processes and compliance.

Meredith Stein, CPA, leads the NIH Risk Management Program at the National Institutes of Health (NIH), Bethesda, Md. The views expressed are her own and do not necessarily represent the views of the NIH or the United States Government. She began her career with KPMG.
Vincent Campitelli, CPA, is a consultant to the office of the president of the Cloud Security Alliance (CSA) Seattle, Wash., serving as an enterprise security specialist with a focus on cloud computing. He is formerly a partner of PricewaterhouseCoopers.
Steven Mezzio, PhD, CPA, CISA, CISSP, FSAI, is a professor of accounting and the executive director of the Center for Excellence in Financial Reporting for the Pace University Lubin School of Business. He is also a former partner with PricewaterhouseCoopers.