NAO said that the public and private sector organisations are “increasingly adopting” cloud services with the aims of reducing costs, increasing efficiency and transforming their operations.
It added that government policy supports the move but recognises that accessing systems through the internet can bring new “contracting models and new challenges” and that some organisations may “lack the capacity or expertise” to select the right product for their needs, implement it securely and manage it effectively.
The new guidance provides an overview of cloud services and outlines government policy on their use. It then sets out specific questions for audit committees to consider asking when engaging with their management at three stages:
- Assessment of cloud services – looking at cloud services as part of organisational and digital strategies; the business case process; and due diligence.
- Implementation of cloud services – considering system configuration; data migration; and service risk and security.
- Management of cloud services – covering operational considerations; the need for assurance from third parties; and the capability needed to manage live running.
The full publication outlining the guidance can be found here.