Question

You are the technology auditor for a medium size online retailer. With the growth, it has been very difficult for the Information Technology (IT) group to keep up with the hardware requirements and new software for all the various smartphone applications. Although there would be reduction of most of the IT staff the CIO has done a complete analysis of moving to a Cloud Computing solution with Amazon Web Services. With this change, all IT functions for the primary application of customer order processing and fulfillment would be handled through Amazon. The reduction in ongoing costs would be almost fifty percent along with major capital expenditures for upgrades if they were to keep processing in-house. Much of the in-house technology is outdated from a web application and regulatory standpoint.

Amazon Web Services is the largest provider of integrated Cloud Computing Services and offers a complete set of infrastructure and application services. Many organizations have lowered costs, including your competitors allowing them to lower costs and gain market share. One of the key benefits of cloud computing is the opportunity to replace up-front capital infrastructure expenses with low variable costs that scale as the business grows.

You have been asked by senior management to assist with the Amazon project and the evaluation of the controls.

a. Describe the five most significant areas of controls concern that you would like to express to the senior management in the transition to Amazon? Make sure your control concerns are consistent with the facts of the case.

b. How would you propose the organization get comfortable with the controls at Amazon    prior to signing the contract? Be specific.

c. Assuming the contract is signed and processing moves to Amazon, what role can internal auditing play in providing assurance to the company. Let’s assume that internal auditing will not be able to perform on-site audits.

Answer 1

(a) 1. Security of data transfer must be ensured. Make sure your data is travelling from a secure channel. Data should always be encrypted and authenticated.

2. Software interface must be secure. Authentication and access control techniques should be used.

3. Data stored in cloud must be secured. It is the major concern in cloud computing. Cloud providers should be responsible for security of data storage.

4. Access control is another major concern. Access should be provided to an aunthicated person. Cloud provider should establish a proper system to provide aunthicated access.

5. Confidentiality is another area of control.

(b) Organization should signed a written contract with amazon. All these controls should be mentioned in contract agreement. Organization must study of above mentioned controls before signing any agreement.

(c) Role of internal auditor to ensure the three main areas confidentialty, integrity and availability. Auditor must ensure that data is not availabe for unauthorised person. Data must be integrated and should be available when it is needed.