Banks in the Cloud: Guidance for cloud auditing (Part II)

This blog is written by Tina Nedyalkov, Group Audit at Deutsche Bank, and Thomas Pfeiffer, Group Audit at Commerzbank AG.

Cloud computing is a central technology for the financial services industry to adopt innovative service solutions, aiming to serve advancing needs by users and investors. It has the potential to not only enhance efficiency in financial services companies’ IT infrastructure, but to enable the development and uptake of new services based on previously unavailable capacities and opportunities. This makes the adoption of cloud computing – and thereby the access to innovation for the companies in the financial services sector – paramount.

The adoption must only be done in full compliance with the regulatory framework for financial services companies in Europe. The latter are fully aware – and fully committed – to safeguard data security and mitigate risks in the virtual environment that is cloud computing.

While doing so, they can look back at a history of transformation experiences under a financial regulatory framework. These companies have always innovated their operations and service offers, adopting technology available at each point in time, following a risk-based approach. Audits are one tool to secure this approach and to safeguard companies’ operations against past, current, and foreseeable risks.

Today, the tremendous and fast-paced evolution of cloud technology drives innovation opportunities to new heights. In turn, audits need to adjust to this pace and the technological realities, while upholding the accountability of financial services companies for the services offered. Cloud auditing ensures that Cloud Service Providers (CSPs) are using best practices and complying with security policies and risk management and meet certain industry benchmarks for service delivery. In the financial services industry, this also considers CSP compliance with data security measures, privacy laws and regulations, and performance expectations. 

Pooled cloud audits are the innovative audit instrument, which allows companies from the financial service sector to execute their contractual audit rights in a group format. Different companies with comparable regulatory and risk driven audit coverage requirements on the same CSP join their audit resources in a “pooled audit” to carry out one coordinated audit with a jointly agreed scope on this CSP. It allows for efficiency gains on both the side of the participating company and on the CSP’s side. Each participating bank can achieve a wider audit coverage by allocating less resources than usual and the CSPs can focus on supporting a pooled audit instead of handling many similar individual customer audit requests. 

A pooled audit requires good collaboration practices within the pooled audit group and between the pooled audit group and the audited CSP to achieve the desired efficiency gains. Open and transparent communication, a clear and agreed engagement model, ensuring the availability of resources throughout the audit are essential for the success of a pooled audit.

Understandably, the changed technological realities require agile adjustments by auditors without ever loosing sight of the compliance dedication by European banks. The EBF Cloud Banking Forum’s technical paper on cloud auditing seeks to provide relevant background and technical guidance to allow financial institutions, CSPs and regulators/supervisors to navigate the complex environment for cloud audits. 

Discover the full report here!