As introduced in chapter 2, many companies use a public cloud computing model for software, data storage, or both. The advantages of public cloud com- puting, as described in the following list, are repeated from chapter 2:
1. Scalability. As a company grows, it can easily purchase new capacity from
the cloud provider. It need not buy servers or new data storage as the cloud provider already has the capacity. This scalability is also a tremendous advantage for spikes in business activity. If a company has a large increase in business volume during certain seasons, it can easily scale up the capac- ity purchased from the cloud provider. When the seasonal volume declines, it then easily scales down the services it buys from the cloud provider. 2. Expanded access. Once the software and data are stored in the cloud, it can
be accessed by multiple devices from many different locations. This gives the company much more flexibility for those who use or enter the accounting data. It also makes it easier for users to startup new computing capabilities. 3. Infrastructure is reduced. The company has a reduced need for servers and
data storage since most of these resources are provided by the cloud provider. This also means that the cloud provider handles data security and backup of data.
4. Cost savings. Because of the advantages mentioned above, there are usu-
ally significant cost savings recognized from cloud computing. Cloud com- puting is usually a pay-for-service model. In other words, a company pays the cloud provider only for the level of services it actually uses. The scala- bility of the cloud means that the company no longer needs to maintain an IT system large enough for the peak demand periods. Cloud computing also allows a company to reduce its investment in IT hardware and the person- nel needed to support IT hardware. This eliminates the financial risk because the user company avoids making a significant up-front financial investment in technology-related resources that may have uncertain returns. A company must recognize the risks associated with cloud computing. When examined from its simplest perspective, cloud computing is the outsourcing of IT infrastructure (the hardware), data, and software to a third party. Although the advantages are noteworthy, control of the company’s data and software is transferred to the third-party cloud provider, thus introducing additional secu- rity, availability, processing integrity, and confidentiality risks. The user company must trust that the provider will keep the data secure and confidential. Simi- larly, the user must also trust that the provider will not have interruptions in service (downtime or breakdowns). A brief summary of the risks follows:
1.Security. All processing, storing data, and reading data occur over the Inter-
net; therefore, the third-party provider must have good user authentication, firewalls, encryption, and virtual private network connections. If a company had its own IT, software, and data storage, it would design and maintain these controls. Under the cloud computing model, it depends on the third- party provider to maintain security controls.
2. Availability. Any interruptions in service cause the software and data to
be unavailable. Again, a company is placing full control of availability in a third-party provider. The third-party cloud provider must have backup
Hardware and Software Exposures in IT Systems (Study Objective 4) 155
facilities, backup servers, data backups, and proper business continuity plans and disaster recovery plans. Most service level agreements indicate that a high level of uptime, even 100 percent, is guaranteed. However, these agree- ments also provide for credit or reduced payments if service is interrupted. It can be difficult to successfully recover funds paid to the provider or get concessions in future payments when interruptions occur. Even if the third- party provider has no downtime, an interruption in the company’s Internet access can prevent it from accessing cloud services. Therefore, Internet access must be available at all times for the company and the third-party provider. 3. Processing integrity. All control of software installation, testing, and
upgrading is transferred to the third-party provider of cloud computing services. Thus a company has less control over ensuring that processing is accurate and complete. A company that outsources via cloud computing is trusting the third-party provider to maintain processing integrity.
4. Confidentiality. As is true of the previous three items, the control of main-
taining confidentiality is transferred to the third-party provider. This includes an extra risk that employees of the third-party provider can pos- sibly browse and misuse company data.
SalesForce.com, a cloud provider of customer relationship management software, experi- enced a sudden outage of service around noon on January 6, 2009. For about one hour, the service interruption prevented 900,000 subscribers from accessing or using the service. This outage prevented sales people and managers of the client companies from gaining any ac- cess to customer data. They were unable to engage in normal sales and promotional activities during the outage.
A more severe availability problem occurred at Coghead, a cloud computing vendor that offered database services in the cloud to paying customers. Coghead stored client databases and database applications on its servers. In February 2009, Coghead announced it was to be purchased by SAP, and customers would have to find alternative places to store data. Cus- tomers were given about two months to move their data off the servers at Coghead. This il- lustrates the loss of control of data if you store your data and applications in the cloud. You have less control over the data and applications, and if the provider happens to cease opera- tions (such as going out of business), there is a significant risk of losing data and applications. To avoid these extra risks inherent in a public cloud, many companies establish their own computing cloud structure. This is called a private cloud. The private cloud is developed, owned, maintained, and used by the user company. There is no involvement of a third-party provider. This private cloud offers many, but not all, of the advantages of a public cloud. A private cloud provides the majority of benefits in the areas of scalability and expanded access; however, it does not reduce infrastructure or reduce costs. The greatest advantage of a private cloud is that it does not transfer control of data and software to a third-party provider. Thus, the company maintains the ability to control the security, availability, pro- cessing integrity, and confidentiality risks.
T
H ER
E A LW
O R L DStarbucks uses a combination of public clouds, private clouds, and traditional corporate IT systems. In its stores, Starbucks uses Office 365 for e-mail and productivity applications such as Microsoft Word. Office 365 is the public cloud version of the Microsoft Office Suite. For e-mail and productivity applications at the corporate offices, Starbucks uses its own traditional IT systems on premises. For its customer relationship management software, Starbucks uses SalesForce.com, a public cloud application. For other accounting and Oracle ERP applications, Starbucks uses a private cloud based on virtualized servers that they maintain. This example of using various IT approaches is quite common.
In each of these risk areas, a company places its trust in the third-party provider to have proper IT controls as described in the earlier parts of this chapter. A company must carefully examine and review cloud providers before entering into a cloud computing service agreement. A provider must be trust- worthy, reliable, and large enough to scale up operations if necessary. User companies must continually monitor and assess whether the cloud provider is appropriately meeting their needs.
A P P L I C AT I O N S O F T WA R E A N D A P P L I C AT I O N C O N T R O L S
( S T U DY O B J E C T I V E 5 )
Applications software accomplishes end user tasks such as word processing, spreadsheets, database maintenance, and accounting functions. All application software runs on top of the operating system software and uses the basic input, output, and data storage functions of the operating system. Any accounting soft- ware is considered application software. Application software represents another entry point through which unauthorized users or hackers could gain access. As is true of the eight exposure areas described so far, the application software has security, confidentiality, availability, and processing integrity risks. Many of the general controls listed in Exhibit 4-5 can help minimize those risks. For example, authentication of the user through user IDs and passwords can reduce the chance of unauthorized access. Application software processes inputs into accounting information and therefore carries specific processing integrity risks not inherent in the eight previous IT components described. The specific processing risks are inaccurate, incomplete, or unsecure data as it is input, is processed, or becomes output. Another risk of application software is the addi- tion and processing of unauthorized transactions. For these specific risks, appli- cation controls should be part of accounting applications.
Many of the general controls in Exhibit 4-5 can help limit access to application software; specific application controls should also be incorporated. Application
controls are internal controls over the input, processing, and output of accounting
applications. Exhibit 4-1 illustrated that application controls apply to specific accounting applications such as payroll, sales processing, or accounts receivable processing. In any of these accounting applications, data are entered through some method of input, those data are processed, and outputs such as reports or checks are produced. Application controls intended to improve the accuracy, complete- ness, and security of input, processing, and output are described as follows:
1. Input controls are intended to ensure the accuracy and completeness of
data input procedures and the resulting data.
2. Processing controls are intended to ensure the accuracy and completeness
of processing that occurs in accounting applications.
3. Output controls are intended to help ensure the accuracy, completeness,
and security of outputs that result from application processing.