Cloud Compliance: What Auditors Are Looking For

Businessman looking at landscape and maze
In today’s world, many companies are either part of a regulated industry or have been identified as a critical vendor in a customer’s supply chain. These organizations are audited by regulatory bodies such as the Federal Deposit Insurance Corporation and the Office of Civil Rights or by another third-party auditor.

If your company falls into one of these two categories, you’re likely aware that most auditors look to see if your organization has implemented sound risk management and mitigation controls for safeguarding mission-critical data and business processes.

However, as more and more companies and their vendors adopt cloud solutions, you might be wondering what factors auditors consider when evaluating whether or not a cloud solution is compliant.

As a provider of private cloud vaulting and recovery solutions for regulated industries like finance and healthcare, Rentsys Recovery Services is, in auditors’ eyes, an extension of our customers’ organizations. As such, we’re expected to protect and recover each organization with the same level of scrutiny as the institution or practice’s employees. Because it’s imperative our services are conducted in a safe and sound manner while complying with applicable laws and regulations, we've become familiar with the key areas auditors view as potential issues.

Use the guidelines below as a starting point for determining whether or not you and your vendors will pass muster with your auditors.


  • How sensitive is the data that will be placed in the cloud (e.g., confidential, critical, public)?
  • What controls are in place to ensure your data is properly protected?
  • Is any data whose disclosure could harm the organization or its customers appropriately encrypted or protected?
  • Are there controls in place to ensure the integrity and confidentiality of the data?
  • Is the data stored or processed overseas?


  • Does the cloud solution have an adequate and tested plan to ensure the continuity of operations as well as its ability to recover and resume operations if an unexpected disruption occurs?
  • Does the plan account for the availability of essential communications links?


  • Does the cloud solution meet regulatory requirements for safeguarding customer information and other sensitive data?
  • What controls does the service provider have to ensure the integrity and confidentiality of the data?
  • Have the internal controls been evaluated by another auditor?

When determining the feasibility of cloud solutions for your organization, most auditors will expect you to perform thorough due diligence and a risk assessment. Keep in mind that though security, availability and privacy are key elements of sound risk management and risk mitigation controls for cloud services, you may need to consider other elements specific to your industry. A thorough risk assessment should bring those considerations to light.

No comments:

Post a Comment

Popular Posts