Last week the National Audit Office published guidance on cloud services for audit committees to consider when engaging with their management. The guide provides a high-level overview of cloud services and outlines government policy on their use. It sets out specific questions for audit committees to consider asking when engaging with their management at three stages:
- Assessment of cloud services: looking at cloud services as part of organisational and digital strategies; the business case process; and due diligence.
- Implementation of cloud services: considering system configuration; data migration; and service risk and security.
- Management of cloud services: covering operational considerations; the need for assurance from third parties; and the capability needed to manage live running.
Alongside the overview of various cloud services, the report tracks the development of Government policy from the ‘cloud first’ approach of 2013, through the ‘cloud native’ approach of 2017, to the 2019 guidance in the Technology Code of Practice. The NAO sum up current TCoP guidance as “one size does not fit all, and organisations should make sure they understand what ‘cloud’ is and means for them. ‘Cloud first’ may not be right for everyone and cloud solutions may not always save money.” The document then goes on to lay out some specific questions for audit committees to bear in mind.
The guidance is intended to complement detailed cloud guidance available elsewhere, such as from the NCSC and FCA. Over the past couple of years techUK has also published our own cloud guidance on a range of topics, which you can read here.
You can have a look at the whole document here, and if you have any questions or comments on the guidance please do get in touch.