Auditing Cloud Computing: Adapting to Changes in Data Management IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott.

Slides:



Advertisements
Similar presentations
Internal Control Integrated Framework
Advertisements

Auditing Governance Functions
Lisanne Sison Director ERM Bickmore
Cloud computing security related works in ITU-T SG17
Federal Audit Executive Council (FAEC) June 2012 Bi-Monthly Meeting Heather I. Keister Doris G. Yanger June 14, 2012 Green Book Update.
Chapter 10 Accounting Information Systems and Internal Controls
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
COBIT 5 and COSO 2013: Comparing the Frameworks
STATE OF NEW YORK OFFICE OF THE STATE COMPTROLLER New York State Office of the State Comptroller Thomas P. DiNapoli, Comptroller Office of Operations John.
It’s Time to Talk About Risk and Control
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
The Islamic University of Gaza
Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Eliot M. Stenzel, CPA,CIA IIA Instructor for many years Risk Based Auditing.
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
Security Controls – What Works
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.
SOX & ISO Protect your data and be ready to be audited!!!
Risk Assessment Frameworks
Oyinkan Adedun Adeleye Caitlyn Carney Tyler Nguyen.
Chapter 11.  The board is ultimately responsible for risk management  Oversee strategic risks, operational risks, and financial risks  Many federal.
Vendor Risk: Effective Management is Essential
D-1 McGraw-Hill/Irwin ©2005 by the McGraw-Hill Companies, Inc. All rights reserved. Module D Internal, Governmental, and Fraud Audits “I predict that audit.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Chapter 3 Internal Controls.
Transitioning to the COSO 2013 Update.  Released on May 14, 2013  Designed to build upon the foundation of the 1992 Framework  Will supersede the 1992.
IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253
Implementation Issues of Sarbanes-Oxley CASE Presentation September 23, 2004 By Denise Farnan.
Chapter Three IT Risks and Controls.
Copyright T. Rowe Price. All rights reserved 1 Ms. Deborah D. Seidel of T. Rowe Price Financial Services Vice President and Manager of Compliance.
CDS Operational Risk Management - October 28, 2005 Existing Methodologies for Operational Risk Mitigation - CDS’s ERM Program ACSDA Seminar - October 26.
Introduction In 1992, the Committee Of Sponsoring Organizations of the Treadway Commission (COSO) published Internal Control-Integrated Framework (1992.
Internal Control in a Financial Statement Audit
COBIT - IT Governance.
Roles and Responsibilities
Committee of Sponsoring Organizations of The Treadway Commission Formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting “Internal.
Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.
Richard F. Chambers, CIA, CGAP Vice President, IIA Learning Center The Institute of Internal Auditors.
The Connection between Risk Management and Internal Control in Organizations Mag. Norbert Wagner Budapest,
Enterprise Risk Management Chapter One Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin.
Internal Audit Considerations for Cybersecurity Risks Posed by Vendors October th, 2015 Chicago IIA Chapter’s 2 nd Annual IIA Chicago IT Hacking.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions.
Control and Security Frameworks Chapter Three Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc
Chapter 5 Evaluating the Integrity and Effectiveness of the Client’s Control Systems.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
1 COSO ERM Framework Update Our Next Challenge and Opportunity September 2015.
The Role of the CRO in ERM Networking Evening Colin Ledlie 12/05/08.
Dolly Dhamodiwala CEO, Business Beacon Management Consultants
Company LOGO Chapter4 Internal control systems. Internal control  It is any action taken by management to enhance the likelihood that established objectives.
Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.
Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.
COBIT. The Control Objectives for Information and related Technology (COBIT) A set of best practices (framework) for information technology (IT) management.
Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
Auditors’ Dilemma – reporting requirements on Internal Financial Controls under the Companies Act 2013 and Clause 49 of the Listing agreement V. Venkataramanan.
Modern Auditing: Assurance Services and the Integrity of Financial Reporting, 8th Edition William C. Boynton California Polytechnic State University at.
Dr. Yeffry Handoko Putra, M.T
Increasing Information and Data Security in Today’s Cybersecurity World 2017 Conference Review 6/6/2017.
CPA Gilberto Rivera, VP Compliance and Operational Risk
COSO and ERM Committee of Sponsoring Organizations (COSO) is an organization dedicated to providing thought leadership and guidance on internal control,
Current ‘Hot Topics’ in Information Security Governance Auditing
Internal Audit & Enterprise Risk Management
COSO Internal Control s Framework
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
What is Interesting in the CCSP certification?
An overview of Internal Controls Structure & Mechanism
Presentation transcript:

Auditing Cloud Computing: Adapting to Changes in Data Management IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott (AEP), and Charles Saunders (Franklin University)

Overview of Presentation 1.Charles: Do internal audit fundamentals apply to cloud computing? 2.Jay: How does cloud computing make it into my audit universe? 3.John: How do you execute and sustain the audit plan?

Do internal audit fundamentals apply to cloud computing? In a word, YES! – Cloud computing is a significant strategic decision. – Cloud computing has significant financial impact. – Cloud computing has significant risk implications. – Cloud computing has significant control considerations. – Cloud computing requires significant management involvement, oversight, and governance.

COSO Definition of Internal Control A process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:  Effectiveness and efficiency of operations  Reliability of financial reporting  Compliance with applicable laws and regulations.

COSO Definition of Enterprise Risk Management Enterprise Risk Management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

Ten Principles of Cloud Computing Risk Source: Vohradsky, D. (2012). Cloud risk—10 principles and a framework for assessment. ISACA Journal, 5, Executives must have oversight over the cloud. 2.Management must own the risks in the cloud. 3.All necessary staff must have knowledge of the cloud. 4.Management must know who is using the cloud. 5.Management must authorize what is put in the cloud. 6.Mature IT processes must be followed in the cloud. 7.Management must buy or build management and security in the cloud. 8.Management must ensure cloud use is compliant. 9.Management must monitor risk in the cloud. 10.Best practices must be followed in the cloud.

Risk Implications and Responses Source: The Committee of Sponsoring Organizations of the Treadway Commission (COSO), Unauthorized cloud activity  Cloud policies and controls 2.Lack of transparency  Assessments of cloud service provider (CSP) control environment 3.Security, compliance, data leakage, data jurisdiction  Data classification policies and processes 4.Transparency and relinquishing direct control  Management oversight, operations monitoring controls 5.Reliability, performance, high-value cyber-attack target  Preventative measures; incident management 6.Non-compliance with regulations  Monitoring of the external environment 7.Vendor lock-in  Preparation of an exit strategy 8.Non-compliance with disclosure requirements  New disclosures in financial reporting 9.All risks  ERM; Internal Audit; Board oversight; management awareness and involvement

Selected Sources of Information about Cloud Computing Risks and Controls 1.COSO 2.IIA 3.ISACA (e.g., COBIT 5, other publications and guidance) 4.IEEE (Institute of Electrical and Electronic Engineers ) 5.ENISA (European Network and Information Security Agency) 6.OWASP (Open Web Application Security Project) 7.CSA (Cloud Security Alliance) 8.NIST (National Institute of Standards and Technology) 9.ISO ISO/IEC AICPA

9 Audit Plan Development Process External Influences News/Events Deloitte Input Regulatory Compliance Rules & Laws External Influences News/Events Deloitte Input Regulatory Compliance Rules & Laws Internal Influences AEP Strategy Enterprise Risk Management Interviews Prior Audits Internal Influences AEP Strategy Enterprise Risk Management Interviews Prior Audits Professional Influences Trade/EEI Institute of Internal Auditors Audit Directors Roundtable Etc. Professional Influences Trade/EEI Institute of Internal Auditors Audit Directors Roundtable Etc. AUDIT UNIVERSE AUDIT UNIVERSE Risk-Based Prioritization Risk-Based Prioritization Emerging Risks Ongoing Risks Reactive Risks Preliminary Audit Plan Preliminary Audit Plan Audit Strategy Audit Strategy

10 John Didlott March 2013 Auditing Cloud Computing

11 Agenda  Cloud Audit Drivers  Audit Planning  Cloud Drivers  Audit Planning  Scope and Objectives  Risks Assessment  Engagement Risks  Risk Factors  Mitigating Risk  Risks not Specific to the Cloud  Security Benefits  Cloud Audit Program Resources  Questions?

12 Our Audit and Why  Data Ownership  Third party relationship  Cyber Security

13 Audit Planning  Preparing for the audit What do you really have in the “Cloud”? What types of clouds are utilized within your organization? Where do you start?

14 Objectives and Scope  Objectives Data Security Control Deficiencies Service Provider Reliability/System Availability  Scope Governance Contractual Compliance Control Issues specific to Cloud Computing

15 Risk Assessment  What is involved in creating the Risk Assessment for a cloud environment?  What are the risk factors that apply to cloud computing ?

16 Engagement Risks  Risks based on Managements Objectives Security, Cost and System Availability  Efficiency/Effectiveness of operations Access to data System Failure  Reliability of information Data Security and Availability

17 Risk Factors  The Audit Clause How important is the audit clause? Before you can look at the risk, you need to determine the following question. What does the cloud contracts allow me to do?

18 Risk Factors Cont…  Governance and Compliance A cloud solution moves control over governance and compliance to the cloud provider  Conflicting Security Procedures of Provider The security procedures at both the provider and customer’s end  Abuse of Privilege at Provider’s End How is access granted at the clouds provider?

19 Risk Factors Cont…  Data Security What are the data protection risks I am facing  Ineffective deletion of data When I delete data, is the data actually being deleted?  Lock In/Service portability Data formats and interfaces could make if difficult for data portability

20 Risk Factors Cont…  Multi-tenancy environment If you data contains information that needs to be protected, do you want the data stored in a public (shared) cloud?  Lack of Compliance Assurance Does your provider meet industry standards and security requirements?  Lack of Transparency in Supply Chain What are the services the third party is providing

21 Risk Factors Cont…  Resource Limitations Inaccurate modeling and planning  Remote Access Vulnerabilities How can your data be accessed?  Business Continuity (BC) Planning and Disaster Recovery (DR) What does your cloud providers provider have in place?

22 Strategies for Mitigating Risk  Get involved at the beginning Start before a contact is signed  Use encryption in the cloud Prevention of disclosure  Develop a stronger auditing approach around the providers facilities and logs Ensure that access to facilities and logs is available

23 Strategies for Mitigating Risk Cont…  Leverage Expertise Determine how data is handled at the providers end  Security Certificates Do they confirm to industry standards?  Data Breaches What actions can you take to protect yourself monetarily?

24 Risks not specific to the Cloud  Network Breaks How would this effect your business?  Network Management Can effect Company reputation Customer Trust

25 Risks not specific to the Cloud Cont…  Unauthorized access to facilities What could happen if a unauthorized access occurred?  Natural Disasters Can effect Company reputation Along with Customer Trust

26 Security Benefits  Security and the benefits of scale cheaper when implemented on a larger scale  Security as a market differentiator Reputation or Provider  Standardized interfaces for managed security services Open interface to managed security

27 Security Benefits Cont…  Rapid, smart scaling of resources Reallocation of resources  Audit and evidence-gathering Dedicated forensic images of virtual machines  More timely, effective and efficient updates and defaults More efficient around updates

28 Cloud Audit Program Resources ISACA – Cloud Computing Management Audit/Assurance Program Programs/Pages/ICQs-and-Audit-Programs.aspx Cloud Federal Privacy Recommendations Computing pdf CSA Cloud Security Guidance NIST Cloud Presentations GSA Cloud Guidance

29 Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.