The 3rd SET Workshop on Transformative Technologies

August 3, 2012: Learning about the future of accounting at the Annual Meeting

This is a public Custom Hive  public


    Kevin Kobelsky
    Addressing cloud computing threats under SSAE 16
    feedback posted July 31, 2012 by Kevin Kobelsky 
    300 Views, 2 Comments
    discussion point:
    Addressing cloud computing threats under SSAE 16

    Are there generally accepted materials addressing the specific threats and related potential controls arising from cloud computing? This would be akin to the procedural guidance provided in the COBIT materials. If there is, how can we obtain it?



    • Robert E Jensen

      Moving to the cloud: Unexpected costs and implementation challenges
      "Cloud adoption brings unexpected costs, KPMG survey says," by Jeff Drew, CGMA Magazine, February 5, 2013 ---

      Office in the Cloud
      "Microsoft Office 2013 Officially Released," by David Ringstrom, AccountingWeb, February 1, 2013 ---

      "Microsoft's Office 2013 Is Software for the Cloud," by Ashlee Vance and Dina Bass, Bloomberg Business Week, January 29, 2013 ---

      When Microsoft (MSFT) said it would buy Yammer for $1.2 billion last June, many in Silicon Valley scoffed that the deal was a costly disaster in the making. Microsoft wanted to join forces with a hip maker of social networking tools for businesses that delivers its product as an evolving Web service. The culture clash was expected to result in Yammer’s employees being overburdened with bureaucracy. The prediction was they would flee in droves. “We were quite concerned about this coming together of two worlds,” says Adam Pisoni, Yammer’s co-founder and chief technology officer.

      As the companies worked to close the deal, Pisoni flew to Microsoft’s Redmond (Wash.) headquarters to seek reassurance from Chief Executive Officer Steve Ballmer and Kurt DelBene, head of the Office business. Pisoni was taken aback by what he found: Microsoft had spent the last couple of years revamping its engineering teams’ processes to be more like Web startups. “We have to remember our roots and go back to building what’s good for the consumer,” Pisoni says Ballmer told him.

      On Jan. 29, Microsoft began selling this new image of the company to the public with the release of Office 2013. This version, the first major overhaul of the franchise in three years, is Office for the cloud. The applications—Word, Excel, PowerPoint, Outlook, and others—have a much cleaner design, work with touch interfaces, and can save files directly to SkyDrive, Microsoft’s online storage service. Users can run Office as an app and share files across PCs, Macs, Windows tablets, and Windows phones, and they can tap into an online-only version of Office on almost any device. In the coming months, Office will be linked with Yammer’s service, which looks similar to Facebook (FB), so users can open documents and presentations and work on projects together.

      In an interview, Ballmer stresses that Office 2013 should be viewed as a service. Microsoft will add features to the software as they’re developed, instead of going years between updates. Microsoft will also sell Office to consumers on a subscription basis: $100 per year will get a family five licenses for Office, 20 gigabytes of storage on SkyDrive, and 60 minutes of free calls per month on Skype, which Microsoft acquired in 2011. “It embraces the notion of social,” Ballmer says. “You stay connected and share information with the people you care about.”

      While Microsoft was working to get Office right, its nimbler rivals charged forward. Dropbox recently passed the 100 million-user mark, making it one of the leading services for storing and sharing files across devices. Another cloud application, Box, has gained popularity with corporations that want to store and edit internal files and collaborate with other companies on projects. And Google (GOOG) sells low-cost rivals to Office products, including Quickoffice, an application that can run on iPads.

      Last year, Microsoft’s business software division generated $24 billion, about one-third of Microsoft’s $73.7 billion revenue. It’s the company’s biggest, most profitable division and accounts for a handful of Microsoft’s fastest-growing products. Ballmer refers to Dropbox as “a fine little startup,” adding, “you have to remember that 100 million users sounds like a pretty small number to me.”

      Microsoft plans to update Office every three months with features intended to keep the product’s 1 billion users happy. Its software engineers have moved from upgrading their test version of Office every month to working on a new copy of the software every day. The company has invested in automated systems that can spot errors in code and help engineers keep programming at pace. “It’s turned all our engineering systems on their head,” says Jeff Teper, a Microsoft vice president.

      Yammer was mined for some data-analytics techniques, including algorithms to figure out which features were favored by testers of early versions of Office 2013. Yammer has been sending teams to Microsoft to teach engineers how to test new tools and designs and then measure precisely how they change users’ behavior. “It forces you to build software that is good for the user,” says Pisoni. Microsoft and Yammer are building toward a day when most business files are Web-connected and interactive. “Is every Office document a website? It’s possible,” says Ballmer.

      Continued in article


      "Office 2013: Where Are All The Apps?" by  Mark Hachman, ReadWriteWeb, February 4, 2013 ---

    • Robert E Jensen

      Teaching Case
      From The Wall Street Journal Weekly Accounting Review on August 1, 2014

      Moving to the Cloud? Engage Internal Audit Upfront to Manage Risks
      by: Deloitte Risk Journal Editor
      Jul 24, 2014
      Click here to view the full article on

      TOPICS: Auditing, Cloud Computing, Internal Auditing

      SUMMARY: Cloud computing can yield significant benefits, from increasing speed to market and achieving better economies of scale to improving organizational flexibility and trimming spending on technology infrastructure and software licensing. As organizations increasingly migrate to cloud computing, however, they could be putting their data at significant risk. Positioning the internal audit (IA) function at the forefront of cloud implementation and engaging IA in discussions with the business and IT early on can help address potential risks.

      CLASSROOM APPLICATION: This article offers an example how the internal audit function of a business operates, in this case specifically with cloud computing.

      1. (Introductory) What is the internal audit (IA) function of a business? Why would a business use IA?

      2. (Advanced) What is cloud computing? What is it value to a business? What new issues might it bring to the business?

      3. (Advanced) What value can the IA function bring to an organization's adoption of cloud computing? What problems could occur if the organization does not engage internal auditors in the process?

      4. (Advanced) What are the various stages of the process in which IA can help? In which stage do you see the greatest value added by IA? Why?

      Reviewed By: Linda Christiansen, Indiana University Southeast

      "Moving to the Cloud? Engage Internal Audit Upfront to Manage Risks," by Deloitte Risk Journal Editor, The Wall Sttreet Journal, July 24, 2014 ---

      Cloud computing can yield significant benefits, from increasing speed to market and achieving better economies of scale to improving organizational flexibility and trimming spending on technology infrastructure and software licensing. As organizations increasingly migrate to cloud computing, however, they could be putting their data at significant risk. Those risks include reduced levels of control as information technology (IT) departments are bypassed, as some business owners opt to obtain services more quickly and cheaply by creating their own “rogue” technology environments via the cloud.

      Positioning the internal audit (IA) function at the forefront of cloud implementation and engaging IA in discussions with the business and IT early on can help address potential risks. “Internal auditors view the business through a risk lens,” says Michael Juergens, a principal at Deloitte & Touche LLP. “With their deep understanding of risk mitigation, internal auditors can work with the business and the IT function to build a framework for assessing and mitigating the risks associated with cloud computing.”

      Broadly defined, cloud computing is a model for enabling ubiquitous on-demand network access to a shared pool of configurable computing resources and services, which can be rapidly provisioned and released with minimal management effort or service provider interaction. The IA function can provide assurance on the effectiveness of risk mitigation efforts tied to cloud utilization, explains Mr. Juergens. “Before entering into agreements with cloud vendors or potential customers, a thorough assessment of the current vendor procurement process should be conducted by IA to determine how to mitigate cloud risks the company may be taking on,” he says. “And while an organization’s information security group can build cloud monitoring capabilities, IA can assist and assess the effectiveness of the control environment and prevent the IT department being left out of the loop.”

      A Steady Migration to the Cloud

      Companies are migrating to the cloud in such numbers because of significant advantages it can provide. Once the migration to cloud functionality is complete, organizations no longer face the task of creating and maintaining large data centers and developing proprietary complex systems. The expense of software upgrades or application patches is carried by the provider, which can allocate these costs across a wide customer base. Freed from large up-front capital investments, time-consuming installation and hefty maintenance costs, IT departments can focus on value-added activities that promote the business. While not every organization today has fully embraced cloud computing, chances are cloud services will be the norm within the next decade.

      The growing consumer use of social media and mobile technologies has also added to the demand for cloud services, as businesses seek better and faster ways to reach out to existing and potential customers. Some companies go beyond using the cloud to provide customer services. For instance, in an effort to focus its IT operations on business services, an online video rental and streaming company moved its internal applications to a cloud service provider and began using software as a service (SaaS) applications. Even governments are getting in on the game: A large metropolitan city equipped all its employees with an application for both email and cloud-based collaboration.

      The shift to cloud computing has essentially extended the boundaries of the traditional computer processing environment to include multiple service providers,” says Khalid Wasti, a director at Deloitte & Touche LLP. “This brings a complex set of risks to an organization’s data as it travels through the cloud.” When a company opts for the speed and convenience of moving to the cloud, it must often relinquish control not only of its own data, but that of its customers. Confidentiality, security and service continuity become critical considerations—as does regulatory compliance, which remains the responsibility of the business,” Mr. Wasti adds.

      How IA Can Help Assess Risks

      As an initial step, an organization should work with IA to create a Cloud Risk Framework Tool. “The tool can help the organization get to the heart of risks by providing a view on the pervasive, evolving and interconnected nature of risks associated with cloud computing,” adds Mr. Wasti. These include governance, risk management and compliance; delivery strategy and architecture; infrastructure security; identity and access management; data management; business resiliency and availability; and IT operations.  Such a tool can also improve efficiency in compliance and risk management efforts and be used to develop risk event scenarios that require integrated responses.

      To be more effective, the tool should be customized to include regulatory, geographic, industry and other specific issues that impact the organization. As IA modifies its organizational risk framework and guides the risk conversation with IT and the business, the following issues pertaining to infrastructure security, identity and access management and data management should be taken into account.

       1. Infrastructure Security—Companies should verify that cloud providers have acceptable procedures in areas such as key generation, exchange, storage and safeguarding, as flawed security could result in the exposure of infrastructure or data.

      • Are there security vulnerabilities that might have been introduced by other customers sharing the same environment? Are security patches performed in a timely manner?
      • What is the risk that a denial-of-service attack will occur, and how will the organization respond?
      • What security practices should be introduced as part of the move to the cloud? Do conflicting customer priorities have the potential to compromise cloud service security?
      • If the organization is unable to independently test security, what are the implications?
      • Has the vendor developed an encryption and key-management process?
      • Who should manage the keys?

      2.  Identity and Access Management—Organizations should consider how their authorization and access models will integrate with new cloud services and assess whether they are using appropriate identity and authorization schemes.

      • Can internal and cloud-based identity management components be securely integrated?
      • Has the organization conducted adequate due diligence prior to assigning cloud management privileges?
      • Are there proper access controls for cloud management interfaces?
      • Has the cloud provider implemented segregation of duties for its staff?

      3.  Data Management—Because organizations may have to relinquish control over their data to cloud providers, it is crucial that they fully understand how data will be handled in the cloud environment.

      • Will the complexity of multiple cloud data stores compromise data retention?
      • What is the risk of unauthorized access to or inappropriate use of sensitive data, and how will this be handled? How will the cloud vendor notify the organization of a violation?
      • Will transfer of data between jurisdictions violate any data privacy laws?
      • Will the organization be able to remove data from multiple cloud data stores?

      Moving Forward

      Implementing a cloud strategy changes the risk landscape in profound ways. As some risks are minimized, others spring up in their place. “Recognizing and responding to this shifting organizational risk profile is IA’s purview,” says Charlie Willis, a senior manager at Deloitte & Touche LLP. “Because internal auditors understand the interplay between business processes and risk, they can help business leaders to articulate their appetite for risk and help develop strategies for mitigating it,” he adds. As the organization adopts technology initiatives that involve cloud computing, IA should consider taking proactive steps to:

      • Engage stakeholders—Encourage IT and business executives to have an informed conversation about the move to the cloud. Help stakeholders understand the potential for rogue IT environments. Explore which applications and data are candidates for transfer to a cloud environment and be prepared to discuss the risk implications of the move.
      • Review the organizational risk framework—Revise the company’s risk framework, minimizing risks that are no longer a concern. This framework tool should measure the organization’s cloud capability state across the different cloud risk domains.
      • Evaluate potential cloud vendors—IT will be most familiar with the range of vendors, and the business leaders will be able to articulate the objectives of a move to the cloud. But IA should also be engaged in risk discussions, along with the organization’s security, risk and compliance groups, and help the organization develop an assessment profile for vendors.

      Related Resources

      Social Media Risks Create an Expanded Role for Internal Audit

      Audit Committees: The Risks and Rewards of Emerging Technologies

      Creating a Cloud Risk Framework with Internal Audit Support

      Can Internal Audit Be a Command Center for Risk?

      The SEC’s Social Media Guidance: Issues and Risks to Consider