Perspectives on Vulnerabilities, ERM, and Audit Services

 對漏洞、ERM和審計(jì)服務(wù)的看法
 

A fourth Industrial Revolution is underway globally; a digital revolution driven by the rapid, wide-scale deployment of digital technologies, such as in high-speed mobile Internet capabilities, artificial intelligence (AI), and machine learning. Cloud computing is at the vanguard of this transformation. As a result, organizations of all sizes, sectors, and geographies have substantially and rapidly increased their use of cloud computing. According to Gartner (2019), more than one-third of organizations see cloud investments as a top-three priority. The public cloud services market is projected to reach a staggering $266 billion in 2020.

第四次工業(yè)革命正在全球范圍內(nèi)進(jìn)行，一場由快速、大規(guī)模的數(shù)字技術(shù)所推動的數(shù)字革命。體現(xiàn)在高速移動互聯(lián)網(wǎng)功能，人工智能（AI）和機(jī)器學(xué)習(xí)等領(lǐng)域。云計(jì)算是這種轉(zhuǎn)變的先鋒。因此，各種不同規(guī)模、部門和地域的組織都非常迅速地增加了對云計(jì)算的使用。根據(jù)Gartner（2019）的數(shù)據(jù)，超過三分之一的企業(yè)將云投資視為三大優(yōu)先項(xiàng)目。公共云服務(wù)市場預(yù)計(jì)到2020年將達(dá)到驚人的2660億美元。

One driver in this proliferation and widespread use of cloud computing is the current digital transformation. In a 2016 address, Microsoft CEO Satya Nadella advanced this enduring description of digital transformation: “becoming more engaged with their customers, empowering their employees, optimizing how they run their business operations and transforming the products and services they offer using digital content.” Such benefits from a cloud computing perspective include managing and outsourcing costly and difficult-to-update and -manage in-house IT infrastructure; streamlining and scaling storage, software, and application support; increasing speed and processing; reducing costs. As a result, organizations of all sizes, geographies and sectors, including CPA firms and their clients, are developing their own private cloud or purchasing public cloud services from cloud service providers (CSP), such as Microsoft Azure and Amazon AWS.

云計(jì)算的擴(kuò)散和廣泛應(yīng)用的一個驅(qū)動力是當(dāng)前的數(shù)字化轉(zhuǎn)型。在2016年的一次演講中，微軟首席執(zhí)行官薩蒂亞·納德拉（Satya Nadella）提出了對數(shù)字化轉(zhuǎn)型的持久性描述：“與客戶更加緊密地接觸，增強(qiáng)員工的能力，優(yōu)化他們的業(yè)務(wù)運(yùn)營方式，并利用數(shù)字內(nèi)容改變他們提供的產(chǎn)品和服務(wù)”。從云計(jì)算的角度來看，這些好處包括對成本高昂且難以更新和管理的內(nèi)部IT基礎(chǔ)設(shè)施的管理和業(yè)務(wù)外包；優(yōu)化和擴(kuò)展存儲、軟件和應(yīng)用程序支持；提高速度和處理能力；降低成本。因此，各種規(guī)模、地域和行業(yè)的組織，包括會計(jì)師事務(wù)所及其客戶，都在開發(fā)自己的私有云，或者從云服務(wù)提供商（CSP）購買公共云服務(wù)，比如微軟Azure和Amazon AWS。

While such potential benefits are compelling, market intelligence reveals that cloud computing exacerbates risks and creates new and unexpected risks. For example, a cloud security breach exposed the names, addresses, and account details of as many as 14 million U.S.-based Verizon customers. In this context, one can only imagine the potential cloud-related cybersecurity breaches and service failures that may emerge from the unexpected disruption and rapid transformation to remote working caused by the current coronavirus (COVID-19) pandemic. On the one hand, workers unexpectedly transitioning to remote working have been enabled in part by cloud computing to immediately, rapidly, and seamlessly access necessary data, software, and applications. On the other hand, such an unanticipated disruption and rapid transformation has exacerbated existing risks and created new risks as workers access data from remote locations; for example, breaches in data confidentiality, unauthorized access, and system availability failures.

雖然這些潛在的好處是引人注目的，但市場情報顯示，云計(jì)算加劇了風(fēng)險，并創(chuàng)造了新的和意想不到的風(fēng)險。例如，云安全漏洞暴露了多達(dá)1400萬美國Verizon客戶的姓名、地址和賬戶詳細(xì)信息。在這種情況下，不難想象由于當(dāng)前的冠狀病毒（COVID-19）大流行造成的意外中斷和遠(yuǎn)程辦公的快速轉(zhuǎn)換，可能會出現(xiàn)與云相關(guān)的潛在網(wǎng)絡(luò)安全漏洞和服務(wù)故障。一方面，因?yàn)樵朴?jì)算能夠立即、快速、無縫地訪問必要的數(shù)據(jù)、軟件和應(yīng)用程序，使得工作人員在意外情況下過渡到遠(yuǎn)程工作成為可能。另一方面，這種意外的中斷和快速轉(zhuǎn)換加劇了現(xiàn)有的風(fēng)險，并在員工從遠(yuǎn)程位置訪問數(shù)據(jù)時產(chǎn)生了新的風(fēng)險；例如，數(shù)據(jù)機(jī)密性遭到破壞、未經(jīng)授權(quán)的訪問以及系統(tǒng)可用性故障。

The Cloud’s Impact

云帶來的影響

The National Institute of Standards and Technology (NIST) defines cloud computing as a means for enabling on-demand access to shared pools of configurable computing resources (e.g., networks, servers, storage applications, services) that can be rapidly provisioned and released. In simple terms, the cloud is a massive cluster of super-sized servers housed in locations scattered around the globe (i.e., cloud farms). Cloud farms are operated by CSP vendors such as Amazon AWS; these vendors provide a range of hosting services.

美國國家標(biāo)準(zhǔn)與技術(shù)研究所（NIST）將云計(jì)算定義為一種能夠按需訪問可配置計(jì)算資源（如網(wǎng)絡(luò)、服務(wù)器、存儲應(yīng)用程序、服務(wù)）的共享池的方法，這些資源可以快速調(diào)配和發(fā)布。簡單地說，云就是分布在全球各地的大型服務(wù)器集群（例如云農(nóng)場）。云農(nóng)場由亞馬遜AWS等CSP供應(yīng)商運(yùn)營，這些供應(yīng)商提供一系列托管服務(wù)。

Exhibit 2

Cloud Transparency

云透明度

The KPMG Audit Committee Institute highlighted “understanding technology’s impact”—with a reference to cloud computing—as one of their seven items to consider for the audit committee’s 2020 agenda. In this context, an organization needs transparency into the nature, scope, and location of CSP vendors and the performance of their cloud activities. The board, senior management, and CPAs should ask the following questions:

KPMG審計(jì)委員會研究所（KPMG Audit Committee Institute）強(qiáng)調(diào)了“理解技術(shù)的影響”，并將云計(jì)算作為審計(jì)委員會2020年議程中需要考慮的七個項(xiàng)目之一。在這種情況下，組織需要透明化CSP供應(yīng)商的性質(zhì)、范圍和位置以及他們的云活動的性能。

· What is our enterprise-wide cloud footprint?

· 我們企業(yè)的云足跡是什么？

o Do we have an inventory of cloud activities?

o 我們有云計(jì)算活動的清單嗎？

o Where are our servers, software, and applications?

o 我們的服務(wù)器、軟件和應(yīng)用程序在哪里？

· Who is responsible and accountable for cybersecurity, system recovery, and controls?

· 誰負(fù)責(zé)網(wǎng)絡(luò)安全、系統(tǒng)恢復(fù)和控制？

o Is there a heat-map valuing data stored in private and public clouds, by location?

o 是否有熱圖可以按位置對存儲在私有和公共云中的數(shù)據(jù)進(jìn)行評估？

o Are shared-responsibilities for performance, availability, cybersecurity, and third-party assurance clearly defined and formalized in a service level agreement (SLA)?

o 服務(wù)水平協(xié)議（SLA）中是否明確規(guī)定并正式規(guī)定了性能、可用性、網(wǎng)絡(luò)安全和第三方保證的共同責(zé)任？

o Which global jurisdiction regulations are we subject to?

o 我們要遵守哪些全球管轄法規(guī)？

o Do management, the board, CSPs, and auditors understand cloud risks?

o 管理層、董事會、CPS和審計(jì)師了解云風(fēng)險嗎？

o What are the CSP contractual requirements and SLA terms and commitments?

o CSP合同要求和SLA條款和承諾是什么？

· Who is accessing our data, and why? Can they see our draft 10-K and trade secrets?

· 誰在訪問我們的數(shù)據(jù)，為什么？他們能看到我們的10-K草案和商業(yè)機(jī)密嗎？

o Do our primary CSPs subcontract our cloud needs to other CSP subcontractors (i.e., third- and fourth-party risk)?

o 我們的主要CSP是否將我們的云需求分包給其他CSP分包商（即第三方和第四方風(fēng)險）？

o Are other jurisdictions accessing our data and surveilling our activities?

o 其他司法管轄區(qū)是否在訪問我們的數(shù)據(jù)并監(jiān)督我們的活動？

o Do accountants, lawyers, and other vendors safeguard access and storage of our data?

o 會計(jì)師、律師和其他供應(yīng)商是否保護(hù)我們數(shù)據(jù)的訪問和存儲？

· Is shared responsibility for risk management strategy, methods, and skills designed properly and operating effectively?

· 風(fēng)險管理策略、方法和技能的共同責(zé)任是否設(shè)計(jì)得當(dāng)并有效運(yùn)作？

o Are we monitoring breaches and system failures on a continuous basis?

o 我們是否持續(xù)監(jiān)控違規(guī)和系統(tǒng)故障？

o Are stakeholders effective and accountable to those who share responsibility for governance?

o 利益相關(guān)者是否有效地并對那些共同承擔(dān)治理責(zé)任的人負(fù)責(zé)？

o Are we conducting a top-down enterprise risk management assessment?

o 我們是否正在進(jìn)行自上而下的企業(yè)風(fēng)險管理評估？

Adapting to Digital Transformation

適應(yīng)數(shù)字化轉(zhuǎn)型

The emergence of cloud computing and the incipient digital transformation of business is having a profound impact on the traditional techniques and services provided by CPA firms. Organizations adopting or leveraging cloud computing should obtain a continuous update of their inventory of cloud activities, including the nature, scope, and locations of their cloud activities; conduct a holistic, enterprise-wide, what-can-go-wrong analysis, including cybersecurity risks and single-point-of-failure risks associated with their cloud ecosystem; and perform an analysis of cloud computing resiliency, including an ERM analysis of cloud performance, security risk, and change management risk. CPA firms adapting to digital disruption and transformation must obtain an understanding of the implications of cloud computing on their clients’ business and control environment; analyze risks of material misstatement and cybersecurity risks; assess cloud controls; and manage cloud-informed changes to the CPA firm’s QC processes and compliance.

云計(jì)算的出現(xiàn)和商務(wù)數(shù)字化轉(zhuǎn)型的初現(xiàn)，對會計(jì)師事務(wù)所提供的傳統(tǒng)技術(shù)和服務(wù)產(chǎn)生了深遠(yuǎn)的影響。采用或利用云計(jì)算的組織應(yīng)獲得其云活動清單的持續(xù)更新。包括其云活動的性質(zhì)、范圍和位置；進(jìn)行全面的、企業(yè)范圍的、可能出錯的分析，包括與云生態(tài)系統(tǒng)相關(guān)的網(wǎng)絡(luò)安全風(fēng)險和單點(diǎn)故障風(fēng)險；執(zhí)行云計(jì)算彈性分析，包括云性能、安全性和變更管理風(fēng)險的ERM分析。適應(yīng)數(shù)字顛覆和轉(zhuǎn)型的會計(jì)師事務(wù)所必須了解云計(jì)算對客戶業(yè)務(wù)和控制環(huán)境的影響；分析重大錯報風(fēng)險和網(wǎng)絡(luò)安全風(fēng)險；評估云控制；并管理注冊會計(jì)師事務(wù)所的QC流程和合規(guī)性的“云通知”變更。