Cloud services’ can bring cost and performance benefits. But they can also bring new challenges and risks. To help leaders oversee decision-making and implementation of cloud services, we recently published ‘Guidance for audit committees on cloud services’. The magazine, Public Sector Executive, invited us to outline the issues in the article The National Audit Office’s guide to cloud services and has kindly allowed us to reproduce it on this Blog.
What is the cloud?
The ‘cloud’ is a term for using the internet to access systems and data stored outside an organisation’s own premises.
Cloud services are not new. But better and faster internet connections today create new opportunities for cloud services, which are available in an increasing range of areas, including business and financial systems.
Why should you care?
Organisations are increasingly adopting cloud services with the aims of reducing costs, increasing efficiency and transforming their operations. However, there is a growing acknowledgement in government that achieving these benefits is not always straightforward.
To help Boards, Audit Committees and other leaders, our Guidance for audit committees on cloud services sets out questions that can be asked at three stages: assessment, implementation and management of cloud services.
How should you assess the need for cloud?
Moving to cloud can have significant long-term implications for future operation and running costs of an organisation. So, before committing, leaders must first understand what is involved. Management should set clear criteria for success so that it can properly evaluate the options in three key ways.
First, in setting a strategy, avoid being led by specific technological solutions. ‘Cloud first’ may not be right for everyone.
Secondly, costs can vary significantly depending on uncertain factors such as future service usage and organisational capability. Business cases need to be clear on the benefits, whether they are reducing costs, improving services or enabling transformation.
Finally, it is important to check proposed providers meet all relevant security requirements, standards, regulations and business-specific needs. Organisations cannot afford to be passive consumers.
What are the risks in implementation?
Implementing cloud services is a big change, which involves significant challenges and risks. Organisations used to storing data on site may not have the capability or experience to deal with the challenges of introducing and configuring new services.
During implementation, organisations need to address key risks in three key ways.
The first is to devote time and attention to setting up services, and ensuring this continues through implementation to deal with unexpected issues. Organisations need a robust plan in place to maintain business-as-usual while managing change. They need to understand the impact of data quality and whether data should be transferred in its existing state to new systems.
Secondly, risks should be covered with clear responsibilities assigned to staff and mitigating actions should be put in place. For example, there should be plans to deal with a range of scenarios for service outage and data loss.
Thirdly, organisations must consider how these changes will affect all key stakeholders and users, in addition to managing how the new services will be implemented.
What does cloud imply for managing services?
Moving to cloud should reduce the resource needed to manage in-house services. But this will be counterbalanced to some extent by the need for specialist expertise to understand, manage and interpret the interface between the cloud service and the organisation.
A key consideration is the impact on IT operations. Cloud services are updated frequently, and the organisation will often have less control over the acceptance of updates.
A second consideration for management is how much assurance it receives from cloud providers. Cloud providers typically commission Service Organisation Controls (SOC) reports from independent auditors to provide assurance to their customers on controls and security arrangements. External auditors will wish to see these reports as part of the annual audit and follow up any deficiencies.
All of these considerations mean that the decision to adopt cloud services is one that requires active review and consideration by organisations at all levels.
We hope that the information and questions in our Guidance on cloud services will help leaders through this process.
We welcome your comments and invite you to contact us if you would like to discuss the matters raised in this post.