Internal audit in the cloud


The critical role of IA in cloud security


As organizations increasingly migrate to and rely upon cloud-based solutions, internal audit (IA) is uniquely positioned to play a critical role in the adoption of a cloud security program.

IA’s independence and objectivity can provide insights that enhance the ability for management and the board to oversee and control risks. IA bolsters cloud security by:

  • Assessing cloud security strategy and its alignment with risk and compliance
  • Understanding cloud security architecture, service types and associated risks and challenges
  • Identifying areas for improvement and communicating them to the board and management
  • Collaborating with the cloud service provider, IT, IS and leadership to translate enterprise risk management objectives



Cloud migration and related cybersecurity risks


Cloud computing has seen rapid adoption because of its speed, agility and affordability. Benefits include a scalable infrastructure, flexibility in access to computing resources and reduced expenses associated with maintaining infrastructure like data sources, network components and, in some cases, even physical data centers.

However, the cloud also presents challenges. Studies suggest that more than 70% of companies had a cloud data breach in the previous 12 months, which has intensified the need for cloud security. A Sophos News survey revealed that organizations have been confronted with a variety of cloud data breaches. About 34% faced a malware attack, 29% had exposed data and 28% suffered a ransomware strike.



Many IA leaders are considering the responsibilities their organizations have for cloud security, said Grant Thornton Internal Audit Cybersecurity Partner Scott Peyton. “We’re hearing from many of our internal audit clients who are in the cloud and asking the question: ‘Where should we draw the line between our role and responsibilities and that of our cloud service provider?’”




How IA provides perspective on cloud security


IA plays a critical role in assessing and enhancing your cloud security by:

  • Helping management understand cloud security architecture, with associated risks and challenges
  • Identifying areas for improvement and communicating them to management and the board
  • Supporting collaboration among the cloud service provider, IT, IS and leadership

IA’s assistance is also vital in helping to bring leading practices to a cloud security strategy, with a focus on the risk and control elements primarily driven by people, process and technology:


  • Address risks from a lack of skilled cloud security experts
  • Identify key dependencies on the cloud service provider and critical third-party providers
  • Evaluate clearly defined roles and responsibilities, ensuring that risks are collectively mitigated


  • Evaluate alignment of cloud security against business goals and objectives
  • Assess non-standard processes introduced through migration to the cloud
  • Evaluate processes for risk mitigation as responsibilities transition from one business function to the other
  • Examine adoption of cloud controls, and how they impact risk and compliance efforts


  • Address risks related to privilege access, data storage and security
  • Evaluate risks that protect against shared responsibilities from third-party service providers that provide cloud services

“Given the number of internal and external players who have a role in cloud security, leaders must constantly emphasize the importance of shared responsibilities. While the cloud provider is responsible for security OF the cloud, the organization is responsible for security IN the cloud.” said Grant Thornton Internal Audit Cybersecurity Director Vikrant Rai.




Focus on these cloud security areas


When your organization has accepted its responsibility to ensure strong cloud security, it can move forward to develop a program that identifies key focus areas and an action plan to audit those functions. Concentrate on the most important areas, including:

  • Cloud program governance: Policies, procedures and risk-based planning and assessment; for compliance with standards, regulations, legal, contractual and statutory requirements
  • Policies and procedures: Identification and assessment of how identity inventory, password policies, and other information is managed
  • Application security: Secure application design and development, such as access code, logic and secure coding practices
  • Data security: Data inventory, classification, storage, ownership and privacy
  • Key management and encryption: Policies, procedures, roles and responsibilities, and encryption requirements on classified data

Management needs to ensure that the cloud security program is built into the overarching enterprise resiliency architecture. That means, environment aside, you need to ensure you are following the security controls and requirements that can help reduce the risk to your organization.

A strong cloud security audit program must develop a “cadence,” or a regular review cycle of cloud security, configuration and other factors. In addition to an annual audit, cloud security should be reviewed with each change in strategy or with the introduction of a new application. As the cloud strategy evolves and major applications are being moved to the cloud, it’s important to perform a pre-implementation review.

Awareness is critical. In a poll that was part of the Grant Thornton webcast Internal audit’s role in establishing an effective cloud security program, the highest numbers of respondents indicated that their organizations have not put effective cloud security into place and the security responsibilities are not fully understood.




This lack of preparedness is in spite of the fact that 82% said they have at least a partial grasp of what cloud security entails.



Cloud security isn’t optional


Creating a strong cloud security program requires identification of not only key IA focus areas, but also a thorough understanding of your operational objectives, risks and processes. It also requires the integration of program enhancements to prepare for inevitable risks.

In responding to another polling question, only 20% of respondents said they had begun to develop the three main components of a cloud security program:

  • Cloud security program goals and objectives
  • A clearly defined architecture based on the service type
  • A shared responsibility model based on the service type

A final question revealed that only a small number of participants have implemented main components of a cloud security program.


“You have to work with your cloud service provider, your security organization, your IT function, your infrastructure teams and your third parties to ensure that appropriate levels of controls are built in,” Rai said. “That’s where the shared responsibilities come into the program architecture, because it’s necessary. It’s no longer an option. The key is knowing where you are – your current state – and where you want to be.”

* For all poll questions, the highest three responses are shown. Survey results are based on responses from an average of 600 participants.




Our featured advisory services insights