Left column

Middlecolumn

‘Cloud services’ can bring cost and performance benefits. But they can also bring new challenges and risks. To help leaders oversee decision-making and implementation of cloud services, we recently published ‘Guidance for audit committees on cloud services’. The magazine, Public Sector Executive, invited us to outline the issues in the article The National Audit Office’s […]

Article

Cloud services: asking the right questions

Posted on June 27, 2019 by

Image of cloud computing

‘Cloud services’ can bring cost and performance benefits. But they can also bring new challenges and risks. To help leaders oversee decision-making and implementation of cloud services, we recently published ‘Guidance for audit committees on cloud services’. The magazine, Public Sector Executive, invited us to outline the issues in the article The National Audit Office’s guide to cloud services and has kindly allowed us to reproduce it on this Blog.


Diagram comparing on-site and cloud location of services

What is the cloud?

The ‘cloud’ is a term for using the internet to access systems and data stored outside an organisation’s own premises.

Cloud services are not new. But better and faster internet connections today create new opportunities for cloud services, which are available in an increasing range of areas, including business and financial systems.

Why should you care?

Organisations are increasingly adopting cloud services with the aims of reducing costs, increasing efficiency and transforming their operations. However, there is a growing acknowledgement in government that achieving these benefits is not always straightforward.  

To help Boards, Audit Committees and other leaders, our Guidance for audit committees on cloud services sets out questions that can be asked at three stages: assessment, implementation and management of cloud services.

How should you assess the need for cloud?

Moving to cloud can have significant long-term implications for future operation and running costs of an organisation. So, before committing, leaders must first understand what is involved. Management should set clear criteria for success so that it can properly evaluate the options in three key ways.

First, in setting a strategy, avoid being led by specific technological solutions. ‘Cloud first’ may not be right for everyone.

Secondly, costs can vary significantly depending on uncertain factors such as future service usage and organisational capability. Business cases need to be clear on the benefits, whether they are reducing costs, improving services or enabling transformation.

Finally, it is important to check proposed providers meet all relevant security requirements, standards, regulations and business-specific needs. Organisations cannot afford to be passive consumers.

What are the risks in implementation?

Implementing cloud services is a big change, which involves significant challenges and risks. Organisations used to storing data on site may not have the capability or experience to deal with the challenges of introducing and configuring new services.

During implementation, organisations need to address key risks in three key ways.

The first is to devote time and attention to setting up services, and ensuring this continues through implementation to deal with unexpected issues. Organisations need a robust plan in place to maintain business-as-usual while managing change. They need to understand the impact of data quality and whether data should be transferred in its existing state to new systems.

Secondly, risks should be covered with clear responsibilities assigned to staff and mitigating actions should be put in place. For example, there should be plans to deal with a range of scenarios for service outage and data loss.

Thirdly, organisations must consider how these changes will affect all key stakeholders and users, in addition to managing how the new services will be implemented.

What does cloud imply for managing services?

Moving to cloud should reduce the resource needed to manage in-house services. But this will be counterbalanced to some extent by the need for specialist expertise to understand, manage and interpret the interface between the cloud service and the organisation.

A key consideration is the impact on IT operations. Cloud services are updated frequently, and the organisation will often have less control over the acceptance of updates.

A second consideration for management is how much assurance it receives from cloud providers. Cloud providers typically commission Service Organisation Controls (SOC) reports from independent auditors to provide assurance to their customers on controls and security arrangements. External auditors will wish to see these reports as part of the annual audit and follow up any deficiencies.

All of these considerations mean that the decision to adopt cloud services is one that requires active review and consideration by organisations at all levels.

We hope that the information and questions in our Guidance on cloud services will help leaders through this process.

We welcome your comments and invite you to contact us if you would like to discuss the matters raised in this post.


 
Yvonne Gallagher

About the author: Yvonne Gallagher is NAO’s digital transformation expert, focused on assessing the value for money of the implementation of digital change programmes. Yvonne has over 25 years’ experience in IT, business change, digital services and cyber and information assurance, including as CIO in two government departments and senior roles in private sector organisations, including the Prudential and Network Rail.


Share this article on social media:

Tagged:                     


One response to “Cloud services: asking the right questions”

  1. Leslie Black says:

    One key thing about transiting to Cloud based servers is that less time and resources will be needed to manage your now redundant on-premises servers.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Right column

  • About the NAO blog

    Our experts share their views about issues and common challenges facing government, what public sector leaders should look out for and how organisations have addressed issues. Our posts draw together threads from across our reports, share secrets spilled in events and reveal our experts’ expectations for the future.

    We encourage comments that support the exchange of ideas for improvement, but ask that those posting are respectful of others.

  • Sign up for automatic feeds

    Sign up to receive email alerts:




    RSS IconSubscribe in an RSS Reader
  • Recent posts