Professional Documents
Culture Documents
It Audits of Cloud and Saas: Tommie W. Singleton, PH.D., Cisa, Citp, Cma, Cpa, Is
It Audits of Cloud and Saas: Tommie W. Singleton, PH.D., Cisa, Citp, Cma, Cpa, Is
Tommie W. Singleton, Ph.D., Moore’s Law has been operating for decades “blank amount of time” per year to manage
CISA, CITP, CMA, CPA, is without signs of slowing down, which leads to about 70 servers. If the entity has a server farm,
an associate professor of new technologies and, thus, new challenges for it can outsource those costs to an effective
information systems (IS) at IT auditors. In recent months, cloud computing data center and reduce costs significantly. In
the University of Alabama at and Software as a Service (SaaS) have led the addition, when the entity needs to upgrade its
Birmingham (USA), a Marshall “bleeding edge” of IT. Therefore, IT auditors need software, or acquire a new software application,
IS Scholar and a director to understand these technologies, establish an the consideration of infrastructure is probably
of the Forensic Accounting approach for identifying the key risks and develop an insignificant consideration regarding cost,
Program. Prior to obtaining his effectual audits of the technologies for those risks. assuming the choice in IaaS provider was
doctorate in accountancy from However, the risk-based approach (RBA) process sufficiently sophisticated, and requires little to no
the University of Mississippi for cloud computing is complicated by the fact changes to its own infrastructure.
(USA) in 1995, Singleton was that all of the technologies and controls are There is also the accounting consideration.
president of a small, value- housed outside the entity being audited.1, 2, 3 Usually, infrastructure costs are substantial and,
added dealer of accounting A key to IT audits of cloud computing and according to the Generally Accepted Accounting
IS using microcomputers. SaaS is to choose a framework for the components Principles (GAAP), are treated as a capital
Singleton is also a scholar- that assists an effective risk assessment of those expense (CAPEX). However, if the infrastructure
in-residence for IT audit technologies. Once a proper risk assessment is outsourced, the expense associated with the
and forensic accounting at is produced, the IT audit becomes a natural IaaS infrastructure usually becomes an operating
Carr Riggs Ingram, a large extension of auditing for the identified risks, expense (OPEX). In the US, this leads to a tax
regional public accounting especially where controls have not adequately advantage regarding income taxes.
firm in the southeastern US. In mitigated the risk. This RBA is the common Thus, some of the key factors for management
1999, the Alabama Society of approach for audits of various types today. when choosing the IaaS provider are flexible
CPAs awarded Singleton the performance (including scalability) and
1998-1999 Innovative User of Components of Cloud Computing availability while achieving physical and virtual
Technology Award. Singleton Much has been written about cloud computing, security needs.
is the ISACA academic SaaS and data centers, but often those There are various ways to break down IaaS,
advocate at the University technologies are melded as a composite service but here is one way:
of Alabama at Birmingham. referred to as cloud computing. Actually, there • Connectivity
His articles on fraud, IT/IS, IT is a simple framework for thinking about cloud • Network services and management
auditing and IT governance computing that should help IT auditors in • Compute services and management
have appeared in numerous performing a risk assessment. The components • Data storage
publications, including the are Infrastructure as a Service (IaaS) and • Security
ISACA Journal. Software as a Service (SaaS)—almost identical Connectivity obviously refers to reliable access
to the way we think of the body of technologies to the Internet and connectivity to associated
internal to an entity. systems and technologies, for instance, data
storage to application servers. Examples of risks
Cloud Computing: IaaS would be availability/downtime and speed of
Services of IaaS components replace or access.4 The average entity experiences one day
supplement the internal infrastructure. The key per annum of downtime.
decision factors for management in deciding Network services and management includes
to move to IaaS (outsourcing part of its not only providing network capabilities, but
infrastructure) and choosing the appropriate managing the network, monitoring the network
vendor are usually efficiency-related. For and providing for efficient access through aspects
instance, it takes one full-time employee (FTE) such as load balancing. Examples of these risks