Quick Links
Advertise with Sarbanes Oxley Compliance Journal

< Back

Sarbanes Oxley : Technology : Risk Management

Assessing Enterprise Risk in the Cloud
February 4, 2013 12:00 PM

If providers undergo legitimate audits, companies can safely transfer risk

By Carolyn Duffy
Carolyn Duffy
Director of Business Advisory Services
Hein & Associates

If you ask most CEOs of both public and private companies where risk lies, the answer will nearly always concern macro issues – the U.S. and world economy, government tax policy, the federal deficit. The reality is that generally 85 percent of a company’s risk is internal, while just 15 percent of real risk lies in outside factors.

The financial crisis didn’t happen because of the world economy, or because a passel of crooks broke loose from prison. The financial crisis happened because traditional audits look backwards, not forwards. Lehman Brothers and Countrywide and AIG and their brethren failed because firms were not properly analyzing the risks of the loan portfolios they were buying.

After the Enron scandal broke more than a decade ago, the accounting industry was determined to figure out a way to look forward instead of backwards when assessing a firm’s risk, and the work is ongoing – unfortunately not in time to prevent the financial crisis of 2008. The various boards that govern accounting formed the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and issued a framework for internal control to help businesses and other entities assess and enhance their internal control systems.

Assessing internal risk, or those things that you can control versus those you can’t, is a moving target. The advent during the past five years of cloud computing as a better way to provide IT has brought with it concerns about how risky cloud computing actually is as a part of the overall enterprise risk management (ERM) assessment.  It’s a good thing to avoid flying as blindly into cloud computing as Merrill Lynch did into collateralized mortgage obligations.

The risk categories spelled out by the COSO ERM framework are (1)strategic; (2)operations; (3)reporting; and (4)compliance. For each one of these areas, the major risk is communications and information.  That makes the analysis of risk inside the cloud, including IT Governance, paramount for firms. IT governance is the structuring and management of information systems, people, technology and controls to efficiently and effectively support the achievement of the enterprise’s goals and meet all regulatory compliance requirements.

Transferring risk to the cloud provider

Cloud computing – basically storage or browser-based software provided over the Internet – allows firms to transfer IT risk in seven major categories as they are defined by the COSO framework. I’ll outline them and compare the responsibilities of a company that has on-site computer systems to cloud systems:

  • SDLC (System Development Life Cycle) – The job of implementing major patch and upgrade and regression testing and migration to production is the company’s responsibility. In the cloud, the company only has to confirm the results of the service provider's upgrade. A company can run some transactions through a “sandbox” or beta site. You only have to confirm results.
  • Change management – On site companies need to fix bugs and test. In the cloud, just confirm results. 
  • Logical security – A company that has an on-site system is responsible for all layers – network, operating system, database and applications as well as proper access and password policies. In the cloud, the company's responsibility is to segregate duties and implement password policies. Companies can prevent fraud in the cloud by segregating duties, but it still doesn’t guard against collusion. They must continue to observe behaviors, look for disgruntled employees and develop a fraud-proof culture. 
  • Network security – On-site personnel are responsible for security measures for all components. It is a minimal firm requirement on the cloud. 
  • Physical security – Company is responsible for security measures for all components, firewall, DMZ. Minimal on the cloud. Data backup and restoration – Risk transferred to cloud provider. System availability and monitoring – Risk transferred to cloud provider.

Warning clouds

By transferring these IT risks, a company shifts liability. How safe is your data? It’s like any other insurance policy. By buying insurance, aren’t you transferring risk? This is no different. That doesn’t mean you don’t have up-front responsibility for vetting your cloud service providers.

For example, make sure your cloud provider has been audited with a SOC 1 or SOC 2 report–they vary depending on the type of industry. These audits ensure that the service provider has the proper procedures in place to protect your data. Don’t let anyone tell you they don’t have time to have an audit performed; walk the other way. You can’t place your company’s risk transfer on someone’s word that your data is “safe with us.” Require audits to fully mitigate risk, or suffer the consequences.



On Site

Area of Risk


Major patch and upgrade procedures
and regression testing and migration to production.

Confirm the results

Change Management 

Bug fix procedures, testing, etc.

Confirm the results

Logical Security

All layers-network, operating system, database and application in addition to proper access , password policies.

Proper segregation of duties and password policies

Physical Security

Security measures for all component,
fire protection, etc.


Network Security

Security measures for all components, firewall, DMZ.


Data Backup
and Restore

All backups and restores of servers,
data, etc.


System Availability and Monitoring

Incident reporting and loss of productivity due to downtime.




Carolyn Duffy
Director of Business Advisory Services
Hein & Associates

Carolyn Duffy, CPA, is a director of business advisory services for Hein & Associates, a full-service accounting and advisory firm with offices in Denver, Houston, Dallas, and S Orange County. She specializes in cloud computing software implementation, as well as designing and implementing methodologies for SOX 404 and IT service lines. Carolyn can be reached at cduffy@heincpa.com or 303-298-9600.

About Us Editorial

© 2017 Simplex Knowledge Company. All Rights Reserved.   |   TERMS OF USE  |   PRIVACY POLICY