Regulatory Compliance Audits
Cloud computing is an operational model and set of technologies for managing shared pools of computing resources that has the potential to enhance collaboration, agility, scaling, and availability. From a business perspective cloud computing is attractive due to the opportunities for cost reduction through scalability, flexibility, and limited capital investment requirements. Cloud Service Providers (CSP) try to leverage economies of scale to manage costs and enable capabilities. This means creating extremely standardized services (including contracts and service level agreements) that are consistent across all customers.
Cloud computing affects risk governance, management, and oversight. The key to the success of cloud solutions is the establishing clear, documented responsibilities between the company and CSP. The primary issue to remember when governing cloud computing is that an organization can never outsource responsibility for governance, even when using external providers. Cloud computing changes the responsibilities and mechanisms for implementing and managing governance. Responsibility is shared between the cloud customer and cloud service provider. A general model for risk management/control responsibilities is a follows:
A compliance audit is a comprehensive review of an organization's adherence to regulatory guidelines. Audits are important because they provide management with a way to monitor whether compliance obligations are actually being upheld, or whether they are being ignored or side-stepped. Audit reports evaluate the strength and thoroughness of compliance preparations, security policies, user access controls and risk management procedures over the course of a compliance audit.
Compliance auditing, either internal or external, can help a company identify weaknesses in regulatory compliance processes and create paths for improvement. In some cases, guidance provided by a compliance audit can help reduce risk, while also avoiding potential legal trouble or federal fines for noncompliance.
Compliance audits begin with a meeting between company representatives to outline compliance checklists, guidelines, and the scope of the audit. During the fieldwork phase of the audit the compliance control structures are evaluated to determine whether the control is supported by properly designed policies and procedures and reliable records.
The most common reasons for audit failure include:
Poor prioritization from the top
Lack of documentation
Manual processes being vulnerable to human error
Weak or missing risk assessment failing to identify critical control activities
The IT component of most regulatory compliance audits focuses on the following four internal control categories:
IT security: Ensure that proper controls are in place to enforce the concept of least privilege and prevent unauthorized access to confidential and/or personally identifiable information. Additional assessment may be required to evaluate the tools and procedures designed to remediate incidents should they occur.
Access controls: Physical and electronic controls that control the rights of users to view, modify and delete regulated information. This includes keeping servers and data centers in secure locations, implementing effective password controls, and other measures.
Data backup: Maintain backup systems to protect sensitive data. Data centers containing backed-up data, including those stored off-site or by a third-party are also subject to the same compliance requirements as those hosted on-site.
Change management: This involves the processes for approving and documenting actions which impact the computing environment such as adding physical equipment; commissioning and decommissioning virtual servers and networks; updating and installing new software; and making any changes to databases or other data infrastructure components.
Additionally, several of the newer regulations focus specifically on cybersecurity controls. For a more detailed discussion of those risks is discussed on the Cybersecurity Program Maturity Assessment page.
CTSA offers regulatory compliance audits for the technology components of the following regulations:
Sarbanes-Oxley Act (SOX)
Health Insurance Portability and Accountability Act (HIPAA)
EU General Data Protection Regulation (GDPR)
California Consumer Privacy Act (CCPA)
New York Department of Financial Service Cybersecurity Regulation (NYCCR 50)
Germany - Cloud Computing Compliance Controls Catalogue (C5)
Why Engage CTSA?
CTSA's Chief Technology Specialist has 35 years of Internal Audit experience focusing on technology solutions and data protection. He will personally work with your company to ensure that the policies, standards, procedures, guidelines, and detailed configurations/controls related to managing the risks required to comply with any of the above regulations have be identified and adequately assessed.