Partly Cloudy: Outage Raises Resiliency Concerns

By Jeff Weber, Managing Director
Technology Strategy and Operation




Everyone needs a little downtime – critical IT infrastructure, not so much. Security and reliability have long been the two primary enterprise concerns when it comes to the cloud. And while security has been the dominant concern over the past couple of years, recent high-profile cloud outages have brought reliability front and center.

A recent outage affected almost 150,000 sites. In the not so distant, cloud-less past, most companies would have had in-house servers, and the disruption would have been limited and isolated. Included in the outage was an internet messaging and chat service popular among IT professionals, who were quick to notice and spread the word. More importantly, this service enables IT services and communication and impacted organizations in their ability to maintain service levels.

Even companies with on-premise enterprise systems could find themselves unexpectedly cut off from critical services, vendor portals and clients, in the event of a service interruption at a cloud-based communications provider.

Cloud functionality affects virtually everyone. These days, if any company thinks it doesn’t have significant cloud exposure, it needs to think again. Now is the time for companies to be asking themselves whether their risk management framework is robust enough to identify risk exposure they may not have thought about.

The worst time to discover a critical exposure to a cloud outage is…well, always. Protiviti recommends that companies act now to conduct a cloud risk assessment and impact analysis and develop an effective response plan. Key elements include:

  • Conducting a thorough process review to identify any hidden cloud exposures
  • Identifying and prioritizing “crown jewels” – in this case, critical functions that must be protected from disruption
  • Comparing exposures against the company’s risk appetite and establishing a remediation threshold – for example, frequency and duration of outage
  • Creating an awareness of susceptibilities and developing response procedures

Although for many companies this type of exercise is new when it comes to cloud computing, it is essentially the same process they have applied in the past to telecommunications, infrastructure and other “always-on” systems and applications. The chief information officer should lead, or at least be at the table for this discussion, and ensure that the right people are involved in the conversation. Furthermore, the discussion should be conducted in business-relevant terms (risk, effect on operations) rather than IT terms (systems downtime, for example).

Public reaction to cloud outages, to date, has been relatively muted. That is likely to change, and quickly, as connectivity increases and digitization and the Internet of Things transforms existing business models. No one is really shocked that cloud outages happen, but now that they are on the radar, it is important to plan for the occasional yet inevitable “inclement weather.”

Cloud Adoption: Putting the Cloud at the Heart of Business and IT Strategy

By Ed Page, Managing Director
IT Consulting



Cloud computing is on the rise as businesses respond to rapidly evolving consumer behaviors, changing business models, and the opportunities and risks brought by new market entrants. Chief information officers and chief technology officers must manage this shift under mounting regulatory pressure and growing concerns about data security and privacy, while simultaneously managing complex and aging legacy infrastructure in a “do more, faster, with less” environment.

Given the criticality of a successful cloud transformation, we are publishing a series of white papers focusing on cloud adoption. The first paper in the series focuses on strategy.

In a nutshell, cloud computing’s elastic capacity allows companies to rapidly deploy and scale technology by outsourcing IT infrastructure and maintenance. This not only allows companies to focus resources on their core business, but can also improve their agility, resiliency and business continuity management capabilities. By placing cloud adoption at the center of a renewed business and IT strategy, firms can capitalize on efficiencies and drive business success. The challenge, of course, is formulating a comprehensive adoption strategy. We break it down into four components:

  • Strategy — Deploying the right application on the right architecture is not as simple as migrating existing applications to the cloud. There are several strategic considerations to evaluate, including architecture, governance, readiness and platform integration with legacy systems.
  • Implementation — Implementation and day-to-day management of cloud operations should be owned by the organization’s service operations function to ensure timely issue resolution and minimal disruption of the technology stack (infrastructure, platform, applications). Considerations should include risk management, capacity and operational excellence, and vendor selection.
  • Service Assurance — A cloud migration is an excellent time for business process improvement. Legacy applications may not be ready for cloud deployment. Care must be taken to ensure a seamless customer experience. And the IT function will need to adapt to a new role of “service broker,” capable of navigating between cloud and non-cloud platforms to deliver the best possible service to end users.
  • Security — There is a notion that cloud deployment means lower security. Security is certainly a major concern, but it is also a differentiator among cloud service providers. During vendor selection, it is important to vet candidates for data security and privacy safeguards, access management, compliance with company standard policies and procedures as well as industry-specific regulations, and incident management practices.

Clearly, cloud adoption is much more than an IT issue, and requires carefully designing, developing and implementing a cloud transformation strategy. We’re happy to share what we’ve learned. Download the white paper and let us know what you think in the comment section below.

From Cybersecurity to Collaboration: Assessing the Top Priorities for Internal Audit Functions

Infographic-2015-IA-Capabilities-Needs-Survey-ProtivitiToday Protiviti released another exceptional piece of research: our 9th annual Internal Audit Capabilities and Needs Survey. This year, we took a close look at the role internal audit can and should play in helping their organizations manage cybersecurity and cyberthreats, giving the organization greater confidence in managing this ever-changing threat.

In future blog posts, we’ll be covering key takeaways from this research and offering guidance for CAEs and internal audit professionals. For now, I encourage you to view our video and infographic here, and visit, where you can download a complimentary copy of our research report.






A Global Look at IT Audit Best Practices from ISACA and Protiviti

Brand.jpgby David Brand
Managing Director – Leader, IT Audit Practice



There is no disputing technology’s role in business today as an enabler of virtually every process and function. With this enablement and the advantages IT brings also come global risks – security, cyberattacks, privacy issues, data breaches, governance, asset management and much more. The critical question we ask is: Are IT audit practices keeping pace in order to assess, monitor and mitigate critical risks coupled to a technology-enabled business? This is what ISACA and Protiviti set out to determine in conducting the fourth annual IT Audit Benchmarking Survey.

Our 5 key findings from this year’s study:

  1. Cybersecurity and privacy are primary concerns – This area is rated as the top technology challenge and also may be driving trends such as increasing involvement from audit committees in IT auditing activities.
  1. Companies face significant IT audit staffing and resource challenges – Not only is this issue ranked among the top technology challenges, but it is an undercurrent in many of the survey findings, including the use of external resources to support IT auditing efforts.
  1. Audit committees, as well as organizations in general, are becoming more engaged in IT audit – More organizations have a designated IT audit leader, and over the past three years, the percentage of IT audit leaders that regularly attend audit committee meetings has doubled.
  1. IT audit risk assessments are not being conducted, or updated, frequently enough – Given the dynamic nature of technology change and risk, it is surprising to find that some companies still do not conduct IT audit risk assessments. Not only must IT audit risk assessments be performed, but they also should be reviewed and, if necessary, updated on a quarterly basis or more frequently. However, a majority of companies are conducting these reviews annually or even less frequently.
  1. There’s room for growth in IT audit reports and reporting structures – A majority of companies do not issue enough IT audit reports, and many still have the IT audit leader in a less-than-ideal reporting structure.

IT Audit Benchmarking Survey Infographic

Check out our infographic here. To view and download our report with detailed results from our study, visit


IT Risks Are Prevalent – Do You Have Enough IT Audit Coverage?

Brand.jpgBy David Brand
Managing Director – Leader, IT Audit Practice



IT risk is everyone’s problem. By “everyone,” we mean the board of directors, senior management, process owners and internal auditors. Internal audit departments play a critical role in ensuring that mitigating processes and procedures are in place and working effectively to manage the organization’s risks. An alarming number of organizations, however, are not maximizing the input internal audit can have in helping to manage their IT risks. This neglect results in embarrassing incidents to the top of the organization, CIO organization and the owners of affected processes.

With the rapid evolution and propagation of social media, cloud and mobile technologies, IT departments are often stretched to their limits. Under pressure to implement, it’s easy to miss vulnerabilities and potential security breaches.

Examples – such as the website launch debacle and any number of corporate mea culpas regarding security breaches exposing customer financial data – illustrate vividly how quickly a glitch or vulnerability can escalate from an IT problem to a critical business problem and a huge reputational risk.

When it comes to IT audit programs and practices, our annual IT Audit Benchmarking Survey consistently reveals that organizations leave themselves significant room for improvement. Too many fail to plan and institute the IT audit coverage necessary to ensure an available, secure and efficient IT environment.

Furthermore, some organizations don’t house their IT audit resources in their internal audit departments, and others lack such resources entirely. We have found that just 1 in 4 companies have an IT audit director or someone in an equivalent role focused on technology risks.

I could say a lot on this topic, but our benchmarking survey provides a much more thorough and detailed analysis. I encourage you to read it. For now, let me close with five key questions that every CEO and audit committee member should be asking about their organization’s IT audit capabilities:

  1. Is our internal audit function performing an effective IT risk assessment at least once a year, and are people who are knowledgeable of infrastructure, applications and IT involved in the process?
  2. Has our internal audit team reviewed the COSO (2013 update) and COBIT 5 frameworks, and are our audit plans based on those recognized policies and practices?
  3. Does our IT audit team have a clear understanding of our organization’s short- and long-term IT objectives?
  4. How do we quantify our IT risks? What industry benchmarks and best practices are used?
  5. Does our IT audit risk assessment process coordinate with other risk assessment areas, including financial, operational and compliance?

As with any growing or rapidly changing risk, it is important for organizations to stay ahead of the risk management curve – and make this a sustainable effort.

For more about Protiviti’s IT Audit Benchmarking Survey, watch our video. I also invite you to see how you rate in auditing your IT risks at

The CIO’s New World – Transformation, Innovation and the Impediments to Achieving Them

by Ed Page
Managing Director – Leader, Protiviti’s National Financial Services IT Consulting Practice

Innovation and IT transformation are hot topics these days. Our Emerging Risks and IT Priorities surveys highlight these points clearly, as there’s good reason for these trends.

Technology is evolving at an incredible pace, putting new capabilities in the hands of both end users and IT professionals alike. This creates a growing need for IT organizations to become more nimble as they seek to adapt to changes in both the technology landscape and consumer behaviors. A lot of attention is being paid to the impact of social, mobile, analytics, and cloud (SMAC) technologies, with many organizations moving towards Agile development methodologies and supporting tools (DevOps) as means of becoming responsive. These areas of focus fuel many of the innovation and IT transformation opportunities that we so often hear about.

On the other hand, there is little talk about the impediments that exist in many large IT shops. The unfortunate reality is that many large enterprises are simply not engineered to take full advantage of these new methods and technical capabilities.

For example, the IT infrastructure for most enterprises in financial services has been developed over decades, often complicated by the impact of multiple mergers and acquisitions. The result is an architecture that I liken to an archeological dig. At the top layer, you’ll find some of the shiniest and newest technology known to man, but dig a little deeper, and you’ll find that it’s built on top of layers and layers of older technology, some dating back three decades or more. The interdependencies between these layers are complex, so it’s not a simple matter to “rip and replace” the older parts of the environment, but absolutely mission critical. Dealing with this reality is not as easy or lacks the same level of sizzle as deploying new products and services, but it cannot be ignored.

This underscores the need for IT transformation, making the job of the CIO a lot like the manager of a large city that has to undergo urban renewal. The enterprise – the CIO’s city – has to keep operating flawlessly while the renewal occurs. Funding for infrastructure renewal has to be procured, risks have to be managed, and “detours” have to be planned and communicated – all while core infrastructure work is underway.

And it’s not just about the technology; working through organizational change has importance since processes are designed to support the current complexity. Successful IT executives will be those who recognize the need for change, then develop and execute a risk-managed plan to adapt their people, processes and technology to create a solid foundation within an organization to support the adoption of new technical capabilities and enable innovation.

These transformation challenges, as well as opportunities presented, are described more fully in our recent FS Insights article on The IT Hierarchy of Concerns and the Ambiguous Cloud of Emerging Technology.


Assessing the Top Priorities for Today’s Internal Audit Functions

Protiviti’s research train keeps on rolling! Today we released the results of our latest Internal Audit Capabilities and Needs Survey. We’ve been conducting research to identify internal audit priorities and trends for eight years and have been very pleased with the response we continue to receive from the market. In looking at the major findings in our 2014 study, I expect this year will be no different. And kudos are due to our survey participants; they are the real “stars,” for without them studies of this nature would not be possible.

Infographic - 2014 Internal Audit Capabilities and Needs Survey

Infographic – 2014 Internal Audit Capabilities and Needs Survey

Internal audit functions today must anticipate and respond to a constant stream of new challenges – many of which deliver uncertain and still unfolding risk implications, from emerging technologies and new auditing standards to rapidly evolving business conditions. For example, in nearly every company over the past 12 months, the use of mobile and social media apps has presented new challenges, many of which are still emerging. Organizations’ growing reliance on cloud computing and data, in general, poses similarly complex challenges. Yet, these issues represent only a portion of those crowding internal audit’s 2014 priority list.

Our findings show that:

  • Social media, mobile applications, cloud computing and security (specifically with regard to the NIST Cybersecurity Framework) are critical areas of concern – Social media applications and related risks are top priorities for internal auditors to address, as are risks surrounding mobile applications, cloud computing and security.
  • CAATs and data analysis remain on center stage – As indicated in past years of our study, internal auditors plan to strengthen their knowledge of computer-assisted auditing tools, and continuous auditing and monitoring techniques.
  • Fraud management efforts focus more on technology as well as prevention – Auditors are concentrating more time and attention on fraud prevention and detection in increasingly automated business environments and workplaces.
  • “We have to keep pace with a raft of regulatory, rules-making and standards changes” – The updated COSO Internal Control – Integrated Framework represents a major change for internal audit, with significant implications for many financial, risk management and compliance activities. However, strengthening knowledge of the new COSO framework ranks as a lower priority compared to other critical rules-making changes internal auditors are digesting, including new Standards from The IIA and the new NIST Cybersecurity Framework.
  • Internal auditors want to take their collaboration with business partners to a new level – Internal audit’s longstanding desire to improve collaboration with the rest of the business has intensified, as is evident in the priority that CAEs and respondents place on communicating, and even marketing, the expertise and value that internal audit provides to the rest of the enterprise.

For more information and to download a copy of our full report, visit And I also encourage you to watch our short video: