The term “auditor,” according to the Oxford English Dictionary, stems from the historical responsibility of an official examiner to hear oral statements of account from those who held money on others’ behalf. And if you were an auditor listening to oral accounts, you would certainly notice the difference between someone saying “I hold $5,000 belonging to X” and “I used to have $5,000 belonging to Mr. X, but I gave it to Mr. Y to hold for me.” In the second case, you would need to check with Mr. Y to ascertain whether indeed the account was correct, and if those funds were still safe.
These days, auditors not only listen to oral accounts, but also read written records and analyze financial statements. In IT auditing, those records include data dictionaries and network maps. But the underlying concept of the auditor remains the same – to examine statements of account.
Cloud computing is the equivalent to saying, “Mr. Y has the money, not me.” Except in this case, it’s not money, but corporate data. And auditors are less able to get an answer to the all-important follow-up question: “Is it safe?”
Corporate consumers of cloud computing rely entirely upon the attestations of their providers to answer those follow-up questions about the specifics of security. For auditing to be complete and worthwhile, there has to be a handshake between the auditor of the provider and the auditor of the consumer of cloud computing services. The auditor needs to know what security practices are being followed and whether they’re being kept up to date. And the auditor can’t just accept it on hearsay.
In general, whenever business processes cross organizational boundaries, the complexity of auditing and monitoring compliance will increase. Cloud computing layers another dimension to this complexity; it’s not just a single business process being placed into the hands of another entity, but rather it acts as a component that stretches across multiple business processes.
If you were to visualize an organization’s value chain, its adoption of cloud computing wouldn’t replace a single link in the chain, it would change the nature of every single link. If customer data, for example, is held in the cloud, then all practices involved with customer data, from customer acquisition to fulfillment to servicing, have to be re-assessed for compliance purposes.
Yet this need not be a sticking point. For smaller enterprises, a well-prepared supplier often provides higher levels of security, assurance, and process excellence than can be offered by the organization itself, with the increased costs of compliance more than made up by the efficiencies of scale and scope. This is why small-to-medium-sized enterprises have adopted cloud-based applications at a rapid clip.
The problem becomes more challenging when a highly complex entity goes to a smaller cloud technology provider. In this case, the provider has to race to catch up with the compliance obligations of the larger entity. The cost involved with meeting these organization-specific compliance requirements cannot be easily distributed across many clients, which makes the value proposition of enterprise cloud computing harder to achieve. An example would be a security-minded government agency, which would tend to look to a private cloud rather than a public technology provider.
As cloud technology providers become more mature and more able to handle the specific compliance needs of vertical industries, along with the process flexibility to deal with the idiosyncratic requirements of specific enterprises, the auditing process for cloud should become easier. But in the meantime, auditors examining the cloud should listen to their gut instincts. They’ll usually be right.
 | 
|
