In the present era, everything runs in the cloud. The development of Cloud computing technology and led to a sharp decrease of Capital Expenditure for industries. It has also led to their solutions being made available everywhere and at any device. This article provides functional knowledge as to how a Chartered Accountant may provide value addition for the development of Internal Controls that protect the Confidentiality, Integrity, Availabilty and Privacy of the data being used by the Cloud.

1. Cloud Computing – Emerging
Opportunities for the profession
Anand Prakash Jangid and Bharath Rao
Venturing into a whole new level of consultancy and assurance
History and Introduction
We are nowpart of a systemthat is revolvingaroundAutomation,FlexibilityandConvenience.Work
at a slowpace is not tolerated.We require the work to be completedatthe fastesttime andat zero
errors. Ever since the advent of computers, man has been able to increase his working speed at an
exponential rate. Right from the abacus to the smart phone, newer ways and methods are being
developedwiththe objective of providingAutomation,FlexibilityandConvenience.The inventionof
the internet has played a massive role for connecting the world and making it as a global village.
Business have been set up by responsible entrepreneurs and have leveraged these benefits of the
computer and the internet. Computers is now part of everybody’s life whether he likes it or not.
Computersplayanimportantrole inone’slife asit helpsinthe fieldsof Education,Medicine,Health,
Business, Profession, Industry etc. Thus it is inevitable to progress without the help of the digital
magic-box.The presenceof internethasgrownsolarge thateverythingnow residesonanetwork.All
the data is present on the internet and is available at a tap of a screen. Yes the phrase “click of a
mouse” is now history.
Business on the Cloud
Businesseshave capitalisedonthecloudtoperformtheirbusinessoperationstomeettheirobjectives.
The cloudisa conceptevolvedfromthe internetwhich,insimple parlance,refersto,adigital system
present on the internet providing a platform to create, store, process and circulate data (SaaS –
Software-as-a-Service). This digital system also provides a platform to develop one’s own custom
applications (PaaS–Platform-as-a-Service) andprovidesresourcestohost those(IaaS–Infrastructure-
as-a-Service).Thisdigitalsystemisaccessiblefromanydeviceandfromanylocationof the world. The
keybenefitof the cloudisthat,all of the abovementionedfunctionsisperformedonsystemsthatare
owned by someone else.
This has resultedina way of runningan enterprise usingthe cloud. Critical financial transactionsrun
from the cloud. The cloud stores data which are sensitive. Cardholder’s data, Intellectual Property,
Business Secrets, Bank Information,Supply Chain Information,Customer and Vendor Data are some
examples. Some business functions like swift payments, NEFT and RTGS, Credit Card Payments,
Enterprise Resource Planning, Governance, Risk Management and Compliance are performed using
the cloud. This is possible as investment on capital expenditure is not requiredas one would rely on
cloud service providers and would incur costs on a subscription based release of payments.
It iscrucial that controlshave tobe inplace at critical aspectsof the cloudin orderto ensure thatthe
confidentiality, integrity and availability of the data is not compromised.

2. Chartered Accountant and the Cloud
A CharteredAccountanthasaunique blendof qualities.A CA canbe referredas a Techno-Functional-
Legal qualityequipped person.Suchqualitiesare developedtogetheronlyinthisprofession.A CA can
provide enormous value addition in order to develop controls and audit them.
Leveraging on providing consultancy for Cloud Compliance is a path a CA can opt for in providing
significantvalueadditiontohisclient.Operatingonthe cloudhasledto the followingrisksasperthe
report provided by Cloud Security Alliance in 2014.
Cloud Threats
At an unprecedentedpace,cloudcomputinghassimultaneouslytransformedbusinessand
government,andcreatednewsecuritychallenges.The developmentof the cloudservice model
deliversbusiness-supportingtechnologymore efficientlythaneverbefore.The shiftfromserverto
service-basedthinkingistransformingthe waytechnologydepartmentsthinkabout,design,and
delivercomputingtechnologyand applications.Yetthese advanceshave creatednew security
vulnerabilities,includingsecurityissueswhose full impactisstill emerging.
The followingare identifiedascritical threatstocloudsecurity(rankedinorderof severity):
1. Data Breaches
2. Data Loss
3. Account Hijacking
4. Insecure APIs
5. Denial of Service
6. MaliciousInsiders
7. Abuse of CloudServices
8. InsufficientDue Diligence
9. SharedTechnologyIssues
Design of a Control Framework
Preparation for the implementation has to be giventhe great importance. Due care has to be taken
for a strong implementationof the Businessonthe Cloud.Dependingonthe strengththat ispresent
in the foundation, further expansion of the platform can be performed smoothly.
Chartered Accountant
Design of
Control
Framework
Audit of
Control
Framework
Support for
better
Compliance

3. Inthe designof the CloudControl Framework,aCA can addmaximumvalue additionasdesigningthe
businessmodel isthe verysolutionforthe CloudPlatform.Thismodel hasthe followingcomponents
–
- Understanding the Business Entity.
- Understanding the Business Operations Standard operating procedure.
- Performing a Business Process re-engineering.
- Design of Automated Internal Control checks in the system.
- Design of Preventive and Detective Internal Controls on the Business Applications and the
Cloud Support.
All of the above constitute the model/framework onwhichthe businesswouldnow operate on.The
controls would be then tested withdata. The data may or may not be live data. However,a CA can
facilitate the test.
Upon successful completionof the tests,the frameworkwouldhave tobe implementedinthe Cloud.
In simple words, Cloud would be configured to operate business, cater customers and maintain
relationship with the customer and vendors.
A CA can leverage Frameworks like the COBIT 5 Framework and COSO Internal Control Framework.
Publicationslike the COBIT5 Riskand COBIT 5 Implementation byISACA andCloudControl Matrix by
CloudSecurityAlliance wouldhelpthe CA to decide onthe control objectivesandcontrolsthatwould
needto be present in the cloud environment and thus will design an effective control framework.
Audit of a Cloud Control Framework
A CA’s primary role of value addition is Auditing. A CA by virtue of his signature can provide the
following Assurance Services to the client with the following scope of activities –
- Privacy Laws are complied with
- Sufficient preventive and detective controls are in place and are continuously monitored
against the identified risks
- Ensuring that there is no data leakage from the platform
- Reviewing the storage controls that is implemented keeping
- Reviewingthatsufficientandadequate securitymeasureshave beendeployedtoprotectthe
personally identifiable information of others
- Ensuring that the controls enforced by the Cloud Business Applications are operating
effectively
- Ensuring that the control design is adequate to the nature and size of the business
The COBIT 5 Framework providesan approach that can be adopted by an assurance professional to
provide assurance inanIT Environment.The CloudControl Matrix byCSA isa Riskand Control Matrix
developed in order to have an industrial security benchmark on the Cloud. A CA can leverage these
documents to provide assurance as mentioned above.
Regulations
There are many regulationstobe compliedatdifferentgeographicallocations.PrivacyLawsandData
Governance Lawsare the primarytwolawsthat needto be compliedatan international level.Bench
markedlawslike thatSarbanes-OxleyAct,CompaniesAct 1956, PCI-DSScompliance canbe complied
by providing adequate consultancy and recommendations to the client on a regular basis. A CA can

4. help the client to comply the ISO 27000 family, ISO 22301, SSAE 16, Companies Act 2013, HIPAA,
Sarbanes-Oxley Act etc.
Conclusion
Usage of the Cloudisgainingscope at a tremendousrate ona dailybasis.People relyonthe cloudas
a primary resource to host and control their business. Cloud Computing has certainly paved a new
path to Chartered Accountants to provide a fresh line of Consultancy and Assurance Services.