People today bandy about the term cloud computing easily and constantly. It IS the latest fad. Related to that is the concept of “auditing” cloud computing or cloud applications or……what? It all sounds very erudite and esoteric and hip, but I can’t help but wonder what all the buzz is about.
I suppose I’m sort of a meat and potatoes kind of auditor – stick to the basics, not fancy or flashy, but focused on the key control concepts – what is the objective.
So here, finally, is my question. Isn’t cloud computing simply turning over some critical aspect of your data processing environment to an independent third-party corporate entity?
Economically, at least theoretically, that independent third-party should be farming the benefits of economies of scale and providing a similar service or environment to many different clients. Is that right?
So is there any difference between auditing a cloud computing vendor and any other third-party service provider? The challenges are access to documentation, the ability to test the controls directly or rely on third-party testing (CPA firm SAS 70 reports or the latest iteration thereof). Another challenge is in how to address deficiencies in controls if some are found. What leverage does the contracting company have over the cloud host’s operational environment?
This is classic risk and reward behavior, isn’t it? The risk is loss or lack of control, and the reward is reduced cost and improved service. At least that’s what we hope.
I would be very interested in hearing other opinions, comments and perspectives. Thanks in advance. I’ll be on vacation in Spain for the next 3 weeks.