Banks in the Cloud: Guidance for cloud auditing

This blog is written by Drs. Patrick Maes, Managing Director – Global Head of Bank User Solutions at Credit Suisse, Chairman of The Cloud Expert Group and Cloud Forum at the European Banking Federation, and Executive Board Member at SWIPO Aisbl.

During my 40 years of experience in Banking IT, I have seen the introduction of many “new” technologies. In the eighties, we saw AI and expert systems together with client-server and end-user computing. In the nineties, we became excited about object orientation, distributed computing, and UNIX. More recently, we witnessed the rebirth of AI & Machine Learning and the broad adoption of open source, DevOps, agile, and cloud. Each of these technologies introduced innovative concepts and paradigms, but unfortunately, not many reached the full potential they promised to deliver.

Will this also be the case for cloud computing? To answer this question, we must look at the challenges surrounding cloud adoption. First, technology innovation is often “over-hyped” by the technology vendors, creating unrealistic expectations and positioning it as a silver bullet to Chief Information Officers (CIOs) and management. The second contributing factor is the general poor implementation of cloud technologies due to insufficient investment in skill development. This has resulted in pollution of cloud implementation patterns with legacy concepts (hybrids) and unrealistic large-scale adoption programs, which are often targeting the migration or replacement of stale legacy assets with little business benefit. Thirdly, just like other technologies – such as AI – the cloud faces a multitude of regulatory requirements, with more coming in as we speak. This creates expectations that are not always in line with the maturity of the technology, creating challenges for harmonized cloud adoption at scale in an economically viable way.

Let us focus on the third factor today. For cloud technology to reach its full potential, regulatory fragmentation in its adoption must be avoided. A harmonized understanding of cloud computing and its implementation is vital. With regulators and supervisors paying close attention to cloud-related risks, this field warrants particular attention among banks and cloud service providers. Within this context, audit requirements emerged as a central tool for financial institutions to secure their risk-based approach to cloud technology. The internal audit function is an essential part of the supervisory guidance and expectations for cloud use by banks, codified under EBA Guidelines on outsourcing arrangements and picked up under the recent regulatory advancements in the Digital Operational Resilience Act (DORA).

European banks created the EBF Cloud Banking Forum to promote cooperation with Cloud Service Providers (CSPs) on cloud auditing in the European financial service sector. The Forum – bringing together IT architects, legal experts, and cloud specialists – led banks’ auditors and CSP experts to co-draft guidance and educational background about auditing the cloud. By combining the expertise of both users and providers of cloud in financial services, we have put together a comprehensive technical paper that addresses fundamental considerations and presents best practices for the pooled audit exercise.

We must apply our risk-based approach in an increasingly hyper and multi-scale cloud environment, catering to multiple customers and under constant service innovation. This requires banks to consider the right tools and processes to gain assurance on cloud use. Solidly anchored in the regulatory and supervisory requirements of the financial framework, the EBF Cloud Banking Forum’s paper offers an overview and insights on different assurance tools. We encourage auditors, CSPs, and regulators/supervisors to use the guidance for a more harmonized understanding of and approach to cloud auditing. Such a better understanding will allow us to tap into possible synergies for assurance gains at scale while upholding the compliance requirements under the existing framework for banks.

I would like to thank all involved experts for their contributions to this document and the EU observers from the European Commission, ECB, and EBA for their insights at a time during the drafting process.

We hope this technical paper will help advance the European banks in this field of sophisticated cloud auditing processes, validating banks’ efforts under a risk-based approach, and overcoming obstacles related to assurance questions.

You can discover the full report here!

I wish the reader a successful cloud journey!