3. Cloud Governance and Security (▲7)

Why is it important?

A survey by the Bank of England earlier in the year identified the presence of thousands of cloud-based applications in use across the financial services sector, noting that cloud outsourcing, “where companies store information and use software via shared virtual data and processing services, rather than relying on local servers”, is becoming increasingly popular¹, as well as highly concentrated. The survey indicates that banks use cloud outsourcing more widely than insurers. They mainly use cloud outsourcing to run software and access additional processing capacity (Software-as-a-Service or SaaS) or to support IT infrastructure (Infrastructure-as-a-Service or IaaS). The use of SaaS outweighs the use of IaaS, and with digital transformations powered by cloud technologies being accelerated throughout the pandemic², the prevalence of cloud as the preferred technology architecture model will undoubtedly continue to grow.

What’s new?

Reliance on the use of third-party outsourcing, including Cloud Service Providers, has resulted in an array of recent regulatory interest. With the EBA³, EIOPA⁴  and ESMA⁵  all publishing guidance on the management of cloud outsourcing, the PRA has also published Consultation Papers seeking to enable more consistent oversight of arrangements. The Outsourcing and third party risk management Consultation Paper CP30/19⁶  gives pragmatic guidance to firms for outsourcing (including cloud) with the CP 29/19 also requiring firms to determine the cloud service’s materiality to the outsourcing firm.

As part of transitioning or “migrating “ to the cloud, the responsibility for the operation of many controls shifts away from the outsourcer to the service provider. This is commonly referred to as “the shared responsibility model” with the balance of responsibility being dialled up or down depending upon the service and the deployment model adopted.

The accountability over the operation of effective controls as part of this broader control environment resides with the outsourcer, however, who is also accountable in the regulators’ eyes for the broader safeguarding of data and IT assets. As such, robust oversight and assurance mechanisms from the outsourcer perspective become obligatory in this environment.

The outsourcing organisations should also periodically assess and manage their associated concentration risks – particularly in the case of over-reliance on one of the top-three cloud service providers to support critical services. The regulators are particularly concerned as this can present operational risks for the organisation itself, but also financial stability risks for the system as a whole.
 

What should Internal Audit be doing?

Internal audit teams considering auditing the adoption of cloud within their organisation should consider audits of cloud governance, cloud migration programmes, and targeted reviews over one or more technical areas across a stable environment / deployment. These focus areas which will enable functions to understand how effectively the organisation is identifying and managing the risks associated with cloud. The nature of the deployment, the complexity of the environment and the level of maturity will in turn determine the overall audit need and specific scoping for IT audit teams.

• Cloud governance: Internal audit teams should look to provide assurance over the governance around cloud deployments to determine the extent to which risks are proactively managed and risk metrics are defined and monitored, reducing the risks of ”rogue” or non-compliant deployments for instance. This should also consider compliance with regulatory requirements with regard to the location of the cloud services. We increasingly see functions develop a Risk and Control Matrix and audit framework for cloud that, on the one hand helps bringing consistency in the delivery of cloud audit work across the function, and on the other ensures alignment to the organisation’s key risks, applicable regulatory requirements as well as industry good-practice. The framework should leverage risk and control areas across other IT risk domains.
• Cloud programmes: These reviews should focus on: programme governance and migration approach; business case and benefits realisation; business alignment; plan for technology integration with existing infrastructure and legacy platforms; dependencies and deployment impact assessment across technology estate.
• Targeted reviews: In order to audit specific cloud deployed instances, internal audit teams should define an approach to prioritise the key risk areas for consideration and assessment as part of the audit. A review and challenge of cloud outsourcing register completeness will enable firms to understand their own level of concentration risk to an outsourced provider, including an overview of sub-outsourcing. Additional areas to consider include: access management across the firm and outsourcing organisation(s); potential reliance on service auditor reports or vendor external certifications; integration with legacy systems and impact assessment; governance and internal controls to identify, manage and report risks resulting from all third-party arrangements, including when they leverage embedded capabilities.

__________________________________________________________________

¹ https://www.bankofengland.co.uk/bank-overground/2020/how-reliant-are-banks-and-insurers-on-cloud-outsourcing
² https://www2.deloitte.com/content/dam/Deloitte/global/Documents/Financial-Services/gx-fsi-realizing-the-digital-promise-covid-19-catalyzes-and-accelerates-transformation.pdf
³ https://eba.europa.eu/eba-publishes-revised-guidelines-on-outsourcing-arrangements
⁴ https://www.eiopa.europa.eu/content/guidelines-outsourcing-cloud-service-providers_en
⁵ https://www.esma.europa.eu/press-news/esma-news/esma-consults-cloud-outsourcing-guidelines
⁶ https://www.bankofengland.co.uk/prudential-regulation/publication/2019/outsourcing-and-third-party-risk-management