Immediately after go-live there may be a period of teething issues and frustration as it takes time for the requirements backlog to be addressed. Ongoing change management will be important through these stages to reassure users and sign-post any further changes to system interfaces or configuration. It is important for there to be strong governance in place over the cloud provider and the in-house team. Thereafter the cloud environment is likely to be more dynamic with a greater frequency and volume of changes and updates compared to an on-premises environment. The organisation will have a lesser degree of control over the acceptance of these updates, particularly with SAAS.
Questions audit committees could ask:
• Is there effective governance to prioritise the removal of any temporary workarounds? Are there any integration issues still outstanding which expose security weaknesses? Is information being manually exported to other systems and are there plans to automate this?
• Is there clear oversight over what the cloud providers are planning? Is the cloud provider being transparent over its plans to release new features and upgrades to its systems? Is the organisation able to influence the cloud provider to prioritise the developments it would value? Is the organisation assessing the impact of planned changes on the business?
• Are responsibilities clear for system changes, upgrades and patches? Does the in-house team have the capacity and expertise to manage any changes they will be required to make? How long will the team have to test any changes in a sandpit before being required to release them into the live service?
• Is there sufficient capability to take advantage of the reporting functionality? Will the in-house team continue to be dependent on third-party support to manage key reporting and system processes? Has the auditing function been turned on to provide tracking information?
• Is the organisation monitoring its usage of the cloud to confirm that it is getting the best value? Does this monitoring include the development environment as well as live services?