Cloud service providers advertise a range of selling points. These include cost efficiencies, adaptability, scalability and security. However, the cost of cloud services can vary significantly depending on uncertain factors such as user numbers and data volumes in future usage scenarios. Different suppliers have different elements to their pricing. The benefits of adaptability and flexibility depend on the complexity of implementation and the extent to which services are tailored.
Questions audit committees could ask:
• How sensitive are planned costs to scenario testing? Does the organisation have a clear understanding of current service usage and how this might change in the future? Has it analysed the fixed, marginal and step costs in each of the different options and bundled packages? Is it necessary to buy the full service or would a streamlined or more basic version be sufficient? Does the expected usage include the development environment as well as live services?
• What extra skills and capacity will be needed? Can the in-house team manage business case development, commercial negotiation, implementation, operations and assurance? If consultants or contractors are required to implement systems, will in-house staff be able to build knowledge and capability alongside them? What is the wider impact on the workforce and the cost of training and roll-out? The skills to implement cloud services are different from those required to implement and maintain more traditional on-premises or outsourcing arrangements. And moving from a single prime supplier to an environment involving multiple suppliers will call for a service integration and management skillset, which must be developed.
• What time horizon is being considered in the commercial model? Has management ensured that break clauses are there to prevent lock-in if the provider does not keep pace with changes in open standards? If implementation costs are high with highly tailored services, will this weaken the negotiating position when the initial contract expires?
• What is the cost of implementing and operating countermeasures to mitigate risk? What would be the cost of bringing services back in-house, for example if there are changes to data privacy or other regulations? What costs and barriers would there be to retrieving the organisation's own data in a format suitable for migration to another service? The degree of effort and expense to move to a new provider should not be underestimated, and the risk is most acute with software as a service.