Comments/Suggestions of the Member Sais of WGITA on the Draft Cloud Computing Guide And

Comments/suggestions of the member SAIs of WGITA on the draft Cloud Computing Guide and Handbook

# / Member SAI / Comments/suggestions
1. / Japan / 1.We think these handbook and guide are very beneficial in terms of providing guidelines for the risk assessment etc., considering the audit cases relating tocloudcomputingare expected to be accumulated in the years ahead.
2.When audited entities use existing services such as “Web-based e-mail applications” (e.g. Gmail) instead of custom-made services, it is very difficult or even impossible for them to request the vender (e.g. Google) for special treatment and therefore they will end up with simply deciding whether or not to use the services that the vender provides. In such case, while the audited entities can arrange specific guidelines for use of the services in their internal security policy, it should be taken into consideration that it will be the user, i.e. auditee, but not the vendor who will take most of the risks.
Response:
The use of cloud computing services is not without risk for the audited entity or the user of the service. While there are benefits of cloud computing, this needs to be balanced with the degree of risk the audited entity is willing to accept. In the example above, it is highly unlikely that Google or Amazon would tailor their service for the user or the user. Thus if for example the level of security that Google typically provides with their email or other web services (Google Docs, cloud storage, etc.) are not sufficient then utilizing their service, while cost effective, may not be in the audited entity’s best interest. If they still go ahead with the service, they may find that some of their communications might not be as secure as they expect. While this risk can be managed, the audited entity must make a conscious decision to do so and ensure that any additional controls they put on this service (by limiting or filtering content) are monitored and enforced.
This section has been put into the Audit Concerns section of the guide.
3.In outsourced service contracts or construction contracts which are not seemingly related to IT, there could be cases where the contractor usescloudcomputingservices of its own or by other service providers. It would also be beneficial to deepen discussion on to what extent the contractors should be subject to controls by audited entities and on to what extent the SAI can oversee such controls.
Response:
While this guide and handbook deals primarily with the use of cloud computing services for IT by the audited entity (or the internal IT organization), there may be cases where a non-IT contract (for example building maintenance, physical security, etc,) may utilize cloud computing IT services by a third party. The issue here for the audited entity is to determine what the prime contractor will retain in house (for example the direct labor provided for the effort) and what they will sub-contract to a third party via cloud computing (for example the management of schedules, logging, etc.). For the audited entity, it may be sufficient to lay out in the contract that they need to be provided logs, and other documentation about the level of service and issues regardless of where they are being processed or stored. This needs to be done at the start of the contract so that the prime contractor is aware of the requirements and can, if possible, request their cloud computing vendor to meet the requirement. Generally for IT Audits most SAI’s would not look at construction, facilities management, and other efforts unless specifically requested to do so. It should be noted that any additional requirement for data and other artifacts may increase the cost of the contract and the SAI or audited entity should be ready to accept the cost vs. the risk of not having some specific data element. They should also consider whether there are alternate means to get the data that may be at the cloud computing vendor or the third party.
This section has been put into the Audit Concerns section of the guide.
4.In addition to the importance of assessing (or metaevaluating) the risks in audited entities, it would also be necessary to pay attention to the risks for an SAI when using CAATTs orcloudcomputingservices as a communication tools. Especially, for the data preservation, external (overseas) risks should be discussed.
Response:
The use of a cloud computing vendor to store or provide archival and communications services (disk space, or internet or telecom services) is covered under the existing set of risks. Vendors may choose to store data in locations that are not local (i.e., overseas) and thus the audited entity must either state that the data should be stored locally or fully understand the risks and benefits of using overseas locations.
The area of overseas risks has been addressed in the guide section on External (Overseas) Risks.
2. / Kuwait / While the material contained sufficient amount ofcloudcomputingrelated risks description, we think it would be important to add a column in the table containing the risks targeted by the “Audit Issues”.
Once this is done, which is a kind of mapping between discussed risks and the “Audit Issues”; it might bring out risk areas that are not covered by the questions in audit issues. This will hopefully ensure a more comprehensive approach to cover all discussed risk areas in the document.
Response:
A cross reference will be provided. See reference section in table in Handbook referring to Risk numbers in Guide.
3. / Norway / To get a link and an understanding between the handbook and the guide, we suggest a reference between the risks in the handbook and the Audit Issues in the guide.
Response:
Similar to Kuwait’s comments above. A cross reference will be provided.
4. / Bangladesh /

• Logical diagrams may be included for better understanding of the concept

Response:
Comment not clear. Please elaborate on what the logical diagram should contain, provide an example if it will assist with the explanation.

• Important issues relating to privacy, compliance, security, sustainability and IT Governance should be covered and discussed in details

Response:
Privacy
These have been addressed:
Security / Connectivity / Privacy Risks
IT Governance
The use of cloud computing does not exempt or free an audited entity from managing IT using best practices for IT Governance. Cloud computing cannot be undertaken prior to having an IT strategy or a plan and managing the effort much like any other investment with cost benefit trade-offs and periodic appraisal of the ability of the contractor or meet user requirements.
This had been added to the Audit Concerns section of the guide.

• A list of acronyms and important definitions may be furnished

Response:
Done.
5. / Slovenia / No comments
6. / Lithuania / No comments