How to use ERM to manage cloud risks

Management should begin control-related activities before an organisation contracts with a cloud-computing service provider (CSP), according to guidance provided in a recently released thought paper.

The paper, Enterprise Risk Management for Cloud Computing, provides a thorough examination of how to assess and manage the risks presented by cloud computing using the Enterprise Risk Management (ERM)—Integrated Framework of the Committee of Sponsoring Organisations of the Treadway Commission (COSO).

COSO is a joint initiative of five private-sector organisations, including the AICPA, Financial Executives International and the Institute of Internal Auditors, that provide thought leadership and guidance for ERM, internal control, and fraud deterrence.

Written by Crowe Horwath LLP risk management principal Warren Chan and former Crowe risk management consultants Eugene Leung and Heidi Pili, the thought paper says control-related inquiries should be included in a request for proposal or in the due-diligence process when choosing a CSP vendor.

In addition, the paper says, management should attempt to include a right-to-audit clause in the contract with each CSP an organisation uses. The paper suggests that preferably before a CSP is chosen, management should conduct interviews to determine how the CSP would address certain risks and events.

Management could have its internal auditors evaluate the CSP’s internal control environment, the paper says. And management could require the CSP to provide independent audit reports such as those defined by the AICPA with respect to the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) and the Service Organisation Control 2 (SOC 2) reports including areas of security, availability, processing integrity, confidentiality, or privacy.

Where appropriate, management must implement additional controls so that the format used by the CSP meets all of the organisation’s requirements, the paper says.

COSO Chairman David Landsittel said in a statement that the paper will assist corporate board members with their oversight role. He said the paper also will help executives manage risk in their cloud strategy.

“The potential benefits cloud computing can bring an organisation are numerous, but they are just part of this unfolding story,” Landsittel said in a news release.

The paper provides a list of questions that members of an organisation’s board of directors should consider asking of management with regard to cloud computing. These include:

• Who in management is responsible for understanding and managing business risks associated with cloud computing?

• Does management have effective processes to monitor cloud computing?

• What are competitors doing with respect to cloud computing?

Even if management has no interest in cloud computing, the paper suggests that an organisation should establish controls to prevent and detect unauthorised use of cloud services by employees. Initiating cloud services can be so easy and inexpensive that current controls such as expenditure limits might not trigger attention from management, the paper says.

The paper also advises reviewing contract terms to ensure compliance with data protection laws and jurisdiction with respect to cloud computing. For instance, a US-based CSP that controls data in Germany must comply with German data protection laws, European Union data protection and notification statutes, and USA Patriot Act requirements.

Data classification policies should ensure that the purpose, ownership, and sensitivity of organisational data are communicated and understood throughout the organisation, the paper says.

Executives at public companies need to remain aware of additional financial statement disclosures required by their regulatory compliance and transparency obligations that may be triggered by use of cloud computing, according to the paper.

The paper also says that the consolidation of data belonging to multiple organisations with a single CSP creates additional risks of cyberattacks. A small business that might perceive itself as an unlikely target can see its likelihood of a cyberattack increase when it shares a cloud infrastructure with a high-profile organisation.

To mitigate the risk of cyberattacks, the paper advises using third-party CSPs only for data that is not essential or sensitive. In addition, encryption should be deployed over data hosted in the cloud, the paper suggests.

Cloud computing can yield benefits that have yet to even be discovered, if used appropriately, the paper says. But without proper controls, the paper says, cloud computing also is bound to cause unexpected problems.

—Ken Tysiac (ktysiac@aicpa.org) is a CGMA Manazine senior editor.