If you ask most CEOs of both public and private companies where risk lies, the answer will nearly always concern macro issues—the U.S. and world economy, government tax policy, the federal deficit.
The reality is that generally 85 percent of a company’s risk is internal, while just 15 percent of real risk lies in outside factors.
The financial crisis didn’t happen because of the world economy, or because a passel of crooks broke loose from prison. The financial crisis happened because traditional audits look backward, not forward. Lehman Brothers, Countrywide and AIG and their brethren failed because firms were not properly analyzing the risks of the loan portfolios they were buying.
After the Enron scandal broke more than a decade ago, the accounting industry was determined to figure out a way to look forward instead of backward when assessing a firm’s risk, and the work is ongoing; unfortunately it did not happen in time to prevent the financial crisis of 2008.
The various boards that govern accounting formed the Committee of Sponsoring Organizations of the Treadway Commission, or COSO, and issued a framework for internal control to help businesses and other entities assess and enhance their internal control systems.
Assessing internal risk, or those things that you can control versus those you can’t, is a moving target. The advent during the past five years of cloud computing as a better way to provide IT has brought with it concerns about how risky cloud computing actually is as a part of the overall enterprise risk management, or ERM, assessment. It’s a good thing to avoid flying as blindly into cloud computing as Merrill Lynch did into collateralized mortgage obligations.
The risk categories spelled out by the COSO ERM framework are (1) strategic; (2) operations; (3) reporting; and (4) compliance. For each of these areas, the major risk is communications and information. That makes the analysis of risk inside the cloud, including IT governance, paramount for firms. IT governance is the structuring and management of information systems, people, technology and controls to efficiently and effectively support the achievement of the enterprise’s goals and meet all regulatory compliance requirements.
Transferring Risk to the Cloud Provider
Cloud computing—basically storage or browser-based software provided over the Internet—allows firms to transfer IT risk in seven major categories as they are defined by the COSO framework. I’ll outline them and compare the responsibilities of a company that has on-site computer systems to cloud systems:
• SDLC (System Development Life Cycle) – The job of implementing major patch and upgrade and regression testing and migration to production is the company’s responsibility. In the cloud, the company only has to confirm the results of the service provider's upgrade. A company can run some transactions through a “sandbox” or beta site. You only have to confirm the results.
• Change management – On-site companies need to fix bugs and test. In the cloud, just confirm results.
• Logical security – A company that has an on-site system is responsible for all layers—network, operating system, database and applications as well as proper access and password policies. In the cloud, the company's responsibility is to segregate duties and implement password policies. Companies can prevent fraud in the cloud by segregating duties, but that still doesn’t guard against collusion. They must continue to observe behaviors, look for disgruntled employees, and develop a fraud-proof culture.
• Network security – On-site personnel are responsible for security measures for all components. It is a minimal firm requirement on the cloud.
• Physical security – Company is responsible for security measures for all components, including the firewall and DMZ. Minimal on the cloud.
• Data backup and restoration – Risk transferred to cloud provider.
• System availability and monitoring – Risk transferred to cloud provider.
By transferring these IT risks, a company shifts liability. How safe is your data? It’s like any other insurance policy. By buying insurance, aren’t you transferring risk? This is no different. That doesn’t mean you don’t have up-front responsibility for vetting your cloud service providers.
For example, make sure your cloud provider has been audited with a SOC 1 or SOC 2 report; they vary depending on the type of industry. These audits ensure that the service provider has the proper procedures in place to protect your data. Don’t let anyone tell you they don’t have time to have an audit performed; walk the other way. You can’t place your company’s risk transfer on someone’s word that your data is “safe with us.” Require audits to fully mitigate risk, or suffer the consequences.
Carolyn Duffy, CPA, is a director of business advisory services for Hein & Associates, a full-service accounting and advisory firm with offices in Denver, Houston, Dallas, and Orange County. She specializes in cloud computing software implementation, as well as designing and implementing methodologies for SOX 404 and IT service lines. She can be reached at firstname.lastname@example.org or (303) 298-9600.
The article first ran on the Accounting Today web site.
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access