Perspectives on Vulnerabilities, ERM, and Audit Services

 对漏洞、ERM和审计服务的看法
 

A fourth Industrial Revolution is underway globally; a digital revolution driven by the rapid, wide-scale deployment of digital technologies, such as in high-speed mobile Internet capabilities, artificial intelligence (AI), and machine learning. Cloud computing is at the vanguard of this transformation. As a result, organizations of all sizes, sectors, and geographies have substantially and rapidly increased their use of cloud computing. According to Gartner (2019), more than one-third of organizations see cloud investments as a top-three priority. The public cloud services market is projected to reach a staggering $266 billion in 2020.

第四次工业革命正在全球范围内进行，一场由快速、大规模的数字技术所推动的数字革命。体现在高速移动互联网功能，人工智能（AI）和机器学习等领域。云计算是这种转变的先锋。因此，各种不同规模、部门和地域的组织都非常迅速地增加了对云计算的使用。根据Gartner（2019）的数据，超过三分之一的企业将云投资视为三大优先项目。公共云服务市场预计到2020年将达到惊人的2660亿美元。

One driver in this proliferation and widespread use of cloud computing is the current digital transformation. In a 2016 address, Microsoft CEO Satya Nadella advanced this enduring description of digital transformation: “becoming more engaged with their customers, empowering their employees, optimizing how they run their business operations and transforming the products and services they offer using digital content.” Such benefits from a cloud computing perspective include managing and outsourcing costly and difficult-to-update and -manage in-house IT infrastructure; streamlining and scaling storage, software, and application support; increasing speed and processing; reducing costs. As a result, organizations of all sizes, geographies and sectors, including CPA firms and their clients, are developing their own private cloud or purchasing public cloud services from cloud service providers (CSP), such as Microsoft Azure and Amazon AWS.

云计算的扩散和广泛应用的一个驱动力是当前的数字化转型。在2016年的一次演讲中，微软首席执行官萨蒂亚·纳德拉（Satya Nadella）提出了对数字化转型的持久性描述：“与客户更加紧密地接触，增强员工的能力，优化他们的业务运营方式，并利用数字内容改变他们提供的产品和服务”。从云计算的角度来看，这些好处包括对成本高昂且难以更新和管理的内部IT基础设施的管理和业务外包；优化和扩展存储、软件和应用程序支持；提高速度和处理能力；降低成本。因此，各种规模、地域和行业的组织，包括会计师事务所及其客户，都在开发自己的私有云，或者从云服务提供商（CSP）购买公共云服务，比如微软Azure和Amazon AWS。

While such potential benefits are compelling, market intelligence reveals that cloud computing exacerbates risks and creates new and unexpected risks. For example, a cloud security breach exposed the names, addresses, and account details of as many as 14 million U.S.-based Verizon customers. In this context, one can only imagine the potential cloud-related cybersecurity breaches and service failures that may emerge from the unexpected disruption and rapid transformation to remote working caused by the current coronavirus (COVID-19) pandemic. On the one hand, workers unexpectedly transitioning to remote working have been enabled in part by cloud computing to immediately, rapidly, and seamlessly access necessary data, software, and applications. On the other hand, such an unanticipated disruption and rapid transformation has exacerbated existing risks and created new risks as workers access data from remote locations; for example, breaches in data confidentiality, unauthorized access, and system availability failures.

虽然这些潜在的好处是引人注目的，但市场情报显示，云计算加剧了风险，并创造了新的和意想不到的风险。例如，云安全漏洞暴露了多达1400万美国Verizon客户的姓名、地址和账户详细信息。在这种情况下，不难想象由于当前的冠状病毒（COVID-19）大流行造成的意外中断和远程办公的快速转换，可能会出现与云相关的潜在网络安全漏洞和服务故障。一方面，因为云计算能够立即、快速、无缝地访问必要的数据、软件和应用程序，使得工作人员在意外情况下过渡到远程工作成为可能。另一方面，这种意外的中断和快速转换加剧了现有的风险，并在员工从远程位置访问数据时产生了新的风险；例如，数据机密性遭到破坏、未经授权的访问以及系统可用性故障。

The Cloud’s Impact

云带来的影响

The National Institute of Standards and Technology (NIST) defines cloud computing as a means for enabling on-demand access to shared pools of configurable computing resources (e.g., networks, servers, storage applications, services) that can be rapidly provisioned and released. In simple terms, the cloud is a massive cluster of super-sized servers housed in locations scattered around the globe (i.e., cloud farms). Cloud farms are operated by CSP vendors such as Amazon AWS; these vendors provide a range of hosting services.

美国国家标准与技术研究所（NIST）将云计算定义为一种能够按需访问可配置计算资源（如网络、服务器、存储应用程序、服务）的共享池的方法，这些资源可以快速调配和发布。简单地说，云就是分布在全球各地的大型服务器集群（例如云农场）。云农场由亚马逊AWS等CSP供应商运营，这些供应商提供一系列托管服务。

Exhibit 2

Cloud Transparency

云透明度

The KPMG Audit Committee Institute highlighted “understanding technology’s impact”—with a reference to cloud computing—as one of their seven items to consider for the audit committee’s 2020 agenda. In this context, an organization needs transparency into the nature, scope, and location of CSP vendors and the performance of their cloud activities. The board, senior management, and CPAs should ask the following questions:

KPMG审计委员会研究所（KPMG Audit Committee Institute）强调了“理解技术的影响”，并将云计算作为审计委员会2020年议程中需要考虑的七个项目之一。在这种情况下，组织需要透明化CSP供应商的性质、范围和位置以及他们的云活动的性能。

· What is our enterprise-wide cloud footprint?

· 我们企业的云足迹是什么？

o Do we have an inventory of cloud activities?

o 我们有云计算活动的清单吗？

o Where are our servers, software, and applications?

o 我们的服务器、软件和应用程序在哪里？

· Who is responsible and accountable for cybersecurity, system recovery, and controls?

· 谁负责网络安全、系统恢复和控制？

o Is there a heat-map valuing data stored in private and public clouds, by location?

o 是否有热图可以按位置对存储在私有和公共云中的数据进行评估？

o Are shared-responsibilities for performance, availability, cybersecurity, and third-party assurance clearly defined and formalized in a service level agreement (SLA)?

o 服务水平协议（SLA）中是否明确规定并正式规定了性能、可用性、网络安全和第三方保证的共同责任？

o Which global jurisdiction regulations are we subject to?

o 我们要遵守哪些全球管辖法规？

o Do management, the board, CSPs, and auditors understand cloud risks?

o 管理层、董事会、CPS和审计师了解云风险吗？

o What are the CSP contractual requirements and SLA terms and commitments?

o CSP合同要求和SLA条款和承诺是什么？

· Who is accessing our data, and why? Can they see our draft 10-K and trade secrets?

· 谁在访问我们的数据，为什么？他们能看到我们的10-K草案和商业机密吗？

o Do our primary CSPs subcontract our cloud needs to other CSP subcontractors (i.e., third- and fourth-party risk)?

o 我们的主要CSP是否将我们的云需求分包给其他CSP分包商（即第三方和第四方风险）？

o Are other jurisdictions accessing our data and surveilling our activities?

o 其他司法管辖区是否在访问我们的数据并监督我们的活动？

o Do accountants, lawyers, and other vendors safeguard access and storage of our data?

o 会计师、律师和其他供应商是否保护我们数据的访问和存储？

· Is shared responsibility for risk management strategy, methods, and skills designed properly and operating effectively?

· 风险管理策略、方法和技能的共同责任是否设计得当并有效运作？

o Are we monitoring breaches and system failures on a continuous basis?

o 我们是否持续监控违规和系统故障？

o Are stakeholders effective and accountable to those who share responsibility for governance?

o 利益相关者是否有效地并对那些共同承担治理责任的人负责？

o Are we conducting a top-down enterprise risk management assessment?

o 我们是否正在进行自上而下的企业风险管理评估？

Adapting to Digital Transformation

适应数字化转型

The emergence of cloud computing and the incipient digital transformation of business is having a profound impact on the traditional techniques and services provided by CPA firms. Organizations adopting or leveraging cloud computing should obtain a continuous update of their inventory of cloud activities, including the nature, scope, and locations of their cloud activities; conduct a holistic, enterprise-wide, what-can-go-wrong analysis, including cybersecurity risks and single-point-of-failure risks associated with their cloud ecosystem; and perform an analysis of cloud computing resiliency, including an ERM analysis of cloud performance, security risk, and change management risk. CPA firms adapting to digital disruption and transformation must obtain an understanding of the implications of cloud computing on their clients’ business and control environment; analyze risks of material misstatement and cybersecurity risks; assess cloud controls; and manage cloud-informed changes to the CPA firm’s QC processes and compliance.

云计算的出现和商务数字化转型的初现，对会计师事务所提供的传统技术和服务产生了深远的影响。采用或利用云计算的组织应获得其云活动清单的持续更新。包括其云活动的性质、范围和位置；进行全面的、企业范围的、可能出错的分析，包括与云生态系统相关的网络安全风险和单点故障风险；执行云计算弹性分析，包括云性能、安全性和变更管理风险的ERM分析。适应数字颠覆和转型的会计师事务所必须了解云计算对客户业务和控制环境的影响；分析重大错报风险和网络安全风险；评估云控制；并管理注册会计师事务所的QC流程和合规性的“云通知”变更。

原创编辑：ICPA中国办事处