The 'cloud' is a term for using the internet to access systems and data stored outside an organisation's own premises. It can be thought of as an evolution of outsourcing IT provision although cloud solutions also introduce new contracting models.

Public and private sector organisations are increasingly adopting cloud services with the aims of reducing costs, increasing efficiency and transforming their operations. This use of the cloud brings greater challenges than simply storing data on the cloud.

Detailed cloud guidance is available, as outlined below. Our guide provides a short summary and complements other resources by setting out specific questions for audit committees to consider when engaging with their management. Other related support for audit committees includes Cyber security and information risk guidance for audit committees and Transformation guidance for audit committees.1

This guide aims to help audit committee members to ask informed questions at three stages:

• Assessment of cloud services. This section considers cloud services as part of organisational and digital strategies; the business case process; and due diligence.

• Implementation of cloud services. This section covers system configuration; data migration; and service risk and security.

• Management of cloud services. This section covers operational considerations; the need for assurance from third parties; and the capability needed to manage live running.

_________________________________________________________________________

1 National Audit Office, Cyber security and information risk guidance for audit committees, September 2017. Available at: www.nao.org.uk/report/cyber-security-and-information-risk-guidance/; and National Audit Office, Transformation guidance for audit committees, May 2018. Available at: www.nao.org.uk/report/transformation-guidance-for-audit-committees/