The whole new wave of I.T. spreading through businesses today is that of virtualization, cloud computing, the “cloud”, or any other similar and broad based terms or themes. Many people have hailed this new concept for obvious reasons, such as the reduction of overall hardware gear and space taken along with the ability to “virtualize” and share many common systems and applications via a centralized platform, just to name a few.
The challenge in this new I.T. arena is for auditors to truly understand what this new concept is and how they can apply new and improved auditing methods for ensuring that many popular assessment and audit initiatives (SAS 70 and PCI, just to name a few) remain viable. For example, both SAS 70 audits and PCI assessments rely heavily on “sampling” for testing. Sampling in a virtual world, though doable, will require truly understanding a virtual/cloud platform and how to logically isolate one customer’s system or environment from another customer.
In short, the old world auditing of having a single service or function residing on a dedicated, stand alone physical server box is, well, going to the grave very quickly. It’s time to roll up our sleeves and embrace the “cloud” and start to frame and shape improved audit procedures.