Top Risk Factors of Being in the Cloud
The discussions about cloud among the accounting profession may have shifted more from “why” to “what do I put there/do there,” and as with any such move, there are still questions about the finer details of working in a cloud environment.
What this means, of course, is that extremely little of your work tasks and file management are in your office or on a local server. While there is increasing comfort or understanding of what cloud is, there are still numerous concerns, ranging from dealing with cloud vendors to security and connection issues.
During the AICPA Practitioners Symposium and TECH+ Conference, there was a discussion among a panel of known cloud-computing and usage experts who were asked pointed questions from other accountants about the realities of being in the cloud. The panel included:
- Jim Bourke, CPA, CITP, partner at WithumSmith+Brown, who oversees much of the firm’s technology decisions.
- Jules Carman, senior director of product marketing, accounting, and consulting segments at Intapp.
- Steve Ursillo, CPA, partner and director of technology and assurance services at Sparrow, Johnson & Ursillo Inc.
Below are some of the top questions and responses from the panelists during the 75-minute session at the conference:
What do you advise staffers who are still challenged with paper files?
Jim Bourkeâ: Have a process, give them the ability to store these files without restrictions. These days, realistically we know it’s not “paperless,” it’s “less paper.” Make sure you use something in the cloud that makes it easy to scan and find files. Give everyone stuff they need to get files into the cloud.
Jules Carmanâ: There’s so many solutions out there, so if you are taking all of your data and maybe not want certain staff to have access, there’s technology for that to limit access and manage that data, as well. The cloud vendors you use should partner with you to develop best practices. You don’t need to self-educate.
How can you be sure your firm owns that data that’s in the cloud and where it resides?
Steve Ursilloâ: There is always going to be supply-chain management and you are going to have a process that identifies risks in a structured format. All providers have SLAs (service level agreements), and some are more flexible than others. In the SLA, it usually details the ownership and other concerns you may have with a cloud provider. Know that if it’s your data and there’s a breach, it is still your responsibility to disclose that breach to all parties.
Jules Carmanâ: You want the vendor to have the same alignment on risk assessment as you. In terms of if there is a breach, you need to ask what is their response and what access do they have? It’s the whole data management discussion you have with the vendors before you sign anything. Whatever your concern, you can usually get it in writing.
Jim Bourkeâ: You can’t always make lots of changes [to an SLA], but you can usually have room to have some assurances on what happens to your data. Is vendor access to your data a bad thing? Not necessarily, but you should have your concerns addressed in writing with the vendor you choose.
Is there best practice documentation of what questions to ask a cloud provider?
Steve Ursilloâ: The Cloud Security Alliance has some. There is also guidance that we have on SOC, as well. If you talk to anyone in the risk management department of a cloud provider, they are constantly grilled on their policies.
Jim Bourkeâ: You do tax, audit, and compliance. They do security, but go out in the community and understand what to ask from your colleagues. Visit a data center yourself if you can.
Jules Carmanâ: The majority of you have some sense of a security governance program with what you use already. See what is in place and what needs to be modified if you are looking for a starting point.
How much security is there in what a particular provider recommends?
Steve Ursilloâ: You may choose Provider A and it may not be compatible with Provider B. Find out what supply chains they are using that will give you a comfort level.
Jim Bourke: I like the preferred provider approach because they do have to vet them already, probably better than we could do.
Jules Carmanâ: The [vendors] more than likely understand your unique operating model so the alignment will be more valuable.
What are some of the cons of moving to the cloud?
Jim Bourkeâ: The downside to me, with firms, is they struggle with bandwidth and connectivity. If you move more things there, you have to get there and use it well. You do need a backup. Data centers do have multiple backups, but not every place in America has super-fast fiber cables. Nothing is guaranteed.
Steve Ursilloâ: Making sure you have the right resilience and redundancy. You will have outages due to weather or what have you, so know that you have some backup from your providers. That said, when you think about cybersecurity, think of the people and resources behind giving you access to data and keeping it safe. It’s more than you, yourself, or anyone in your firm can do.