25.06.19
The National Audit Office's guide to cloud services
The National Audit Office’s digital transformation expert, Yvonne Gallagher, focuses on assessing the implementation of digital and related change programmes.
Cloud services can bring cost and performance benefits. But they can also generate new challenges and risks.
The National Audit Office’s (NAO) new guide ‘Guidance for audit committees on cloud services’ helps leaders of organisations to oversee the decision-making and implementation of cloud services.
What is the cloud?
The ‘cloud’ is a term for using the internet to access systems and data stored outside an organisation’s own premises. Cloud services are not new. But better and faster internet connections today create new opportunities for cloud services, which are available in an increasing range of areas, including business and financial systems.
Why should you care?
Organisations are increasingly adopting cloud services with the aims of reducing costs, increasing efficiency and transforming their operations. However, there is a growing acknowledgement in government that achieving these benefits is not always straightforward.
To help boards, audit committees and other leaders, the NAO’s new guidance sets out questions that can be asked at three stages: assessment, implementation and management of cloud services.
READ MORE: Time to address the digital skills gap
How should you assess the need for cloud?
Moving to cloud can have significant long-term implications for the future operation and running costs of an organisation. So, before committing, leaders must first understand what is involved. Management should set clear criteria for success so that it can properly evaluate the options in three key ways.
Firstly, (in setting a strategy) avoid being led by specific technological solutions. ‘Cloud first’ may not be right for everyone. Secondly, costs can vary significantly depending on uncertain factors such as future service usage and organisational capability. Business cases need to be clear on the benefits; whether they are reducing costs, improving services or enabling transformation.
Finally, it is important to check proposed providers meet all relevant security requirements, standards, regulations and business-specific needs. Organisations cannot afford to be passive consumers.
What are the risks in implementation?
Implementing cloud services is a big change which involves significant challenges and risks. Organisations used to storing data on site may not have the capability or experience to deal with the challenges of introducing and configuring new services.
Organisations need to address three key risks during implementation. The first is to devote time and attention to setting up services, and ensuring this continues through implementation to deal with unexpected issues. Organisations need a robust plan in place to maintain business as usual while managing change. They need to understand the impact of data quality and whether it should be transferred in its existing state to new systems.
Secondly, risks should be assessed with clear responsibilities assigned to staff and mitigating actions put in place. For example, there should be plans to deal with a range of scenarios for service outage and data loss. Thirdly, organisations must consider how these changes will affect all key stakeholders and users, in addition to managing how the new services are implemented.
DOWNLOAD THE NAO 'GUIDANCE FOR AUDIT COMMITTEES ON CLOUD SERVICES' GUIDE HERE
What does cloud imply for managing services?
Moving to cloud should reduce the resource needed to manage in-house services. But this will be counterbalanced to some extent by the need for specialist expertise to understand, manage and interpret the relationship between the cloud service and the organisation.
A key consideration is the impact on IT operations. Cloud services are updated frequently, and the organisation will often have less control over the acceptance of updates. A second consideration for management is how much assurance it receives from cloud providers.
Cloud providers typically commission Service Organisation Control (SOC) reports from independent auditors to provide assurance to their customers on controls and security arrangements. External auditors will wish to see these reports as part of the annual audit and follow up any deficiencies. All of these considerations mean that the decision to adopt cloud services is one that requires active review and consideration by organisations at all levels.
Source: PSE June/July 2019