How to move successfully to the cloud and ensure internal controls after the migration

risk management
  • Case Study
  • 02/07/26
Julio Varas Hernandez

Julio Varas Hernandez

Senior Manager, Digital Assurance & Trust, Cloud Assurance, PwC Switzerland

What does risk management mean in the cloud?

Moving IT infrastructure and processes to the cloud promises huge benefits, efficiency gains, and long-term value creation. However, many organisations struggle to realise the full potential of the cloud because they cannot fully control the cloud environment and manage the cloud-related risks. Any migration to the cloud transfers some of the security responsibilities to a third party. Cloud assurance and trust in technology partners are therefore paramount for a successful cloud transformation.

"By assessing the client's readiness for cloud adoption, we were able to empower them to manage the risks associated with the cloud migration. They were able to adapt internal controls and close risk gaps.”

Narcisse VieiraCloud Assurance Partner, Digital Assurance & Trust

In a nutshell

  • Context and risk shift: A Swiss luxury goods company moved toward a “data centre less” IaaS model to cut time-to-market and get closer to customers, recognizing the cloud changes their risk profile and impacts ICFR; strong cloud assurance and third‑party governance were deemed critical.
  • Pre-migration readiness: PwC benchmarked the client’s ICS against its Cloud Risk and Compliance framework and leading standards and regulations (SOX, NIST CSF, CSA CCM, ISO 27001, GDPR), identified gaps, and recommended new or adapted controls; also reviewed data migration strategy, transition plan, and application dependencies/resilience.
  • Post-migration validation: After initial rollout, PwC assessed control design and operating effectiveness, testing cloud-adapted access management, logging and monitoring, data migration, and IT general controls to ensure external audit readiness.

Challenge

Our client, a leading Swiss luxury goods company, was striving to improve the efficiency of its IT delivery. In order to enhance and improve services, they wanted to adopt a 'data centre less' strategy, with the expectation of moving 80% of their IT infrastructure to the cloud over the course of three years. This intention of the migration to a cloud-based Infrastructure as a Service (IaaS) was to reduce time-to-market and gain more customer proximity.

The client was aware that as a consequence of the cloud transition, the risk profile would also change and that they needed to establish a clear strategy for governance, compliance, and data access prior to the move to the cloud. With the outsourcing of competencies to a third party in relation to cloud migration, risks potentially increase if not managed by appropriate controls. Changes in the risk profile could have a particular impact on internal controls for financial reporting, as the cloud represents a fundamental technological shift in the underlying infrastructure of key financial applications.

To ensure that the cloud migration was carried out in compliance with all security requirements and that all cloud services are meeting the highest security standards, our PwC team had to identify the new risks arising from the transformation and the new control requirements.

Solution

Together with the client, we conducted a governance and readiness assessment and – after the cloud migration – a post-implementation review.

The readiness assessment enabled the client to make sure that internal controls would hold up both internally and in an external audit.

  1. As a first step, we assessed the readiness of the controls framework (ICS) by agreeing on and evaluating controls from an ICS perspective and benchmarking relevant controls against the client’s Cloud Risk and Compliance framework and other leading industry frameworks and regulations (e.g., SOX, NIST CSF, CSA CCM, ISO 27001, GDPR). This allowed us to identify potential risk gaps and recommend how to close them, such as installing new controls or adapting existing ones.
  2. In a second step, we focused on the effectiveness of the controls relevant to the external audit. After completion of the initial rollout in the new cloud environment, we conducted an in-depth assessment of the control designs and showed the client ways to address weaknessees.
  3. Thirdly, we reviewed management's data migration strategy and transition plan. Finally, we evaluated application dependencies and controls to protect against the failure of critical business systems.

The second phase of the project, the post-implementation review, ensured the effectiveness of operations, processes, and controls in the new cloud environment. After the migration of the first financial systems, we tested the cloud adaptations for access management, logging and monitoring, and data migration. This review also covered the operating effectiveness of the IT general controls (ITGCs) including cloud adaptation as part of the regular ITGCs testing.

"Three years ago, we started moving our entire IT infrastructure to the cloud to reduce time-to-market and increase customer proximity. We faced the challenges of a large, heterogeneous IT infrastructure, a decentralised organisation and limited experience with the cloud. PwC helped us in different phases throughout that transformation, to update our controls to monitor and mitigate transformation risks."

Project SponsorA leading Swiss luxury goods company and client of PwC Switzerland

Results

90%

of the IT infrastructure was successfully migrated

75%

of manual deployment processes automated

60%

reduction in control deficiencies identified during external audits

Over the course of the three-year project, we assessed the client’s readiness to move their IT operations to the cloud by evaluating the cloud-related risks and helping them to address these effectively. Working closely with the client, we supported the adaptation of their IT operating model, including updating their control framework and assessing the design of new controls. As a result, more than 90% of the IT infrastructure was successfully migrated within the planned timeline, with 75% of manual deployment processes automated. In addition, we redesigned over 40 key controls and introduced 20 new cloud-specific controls, all benchmarked against leading industry frameworks and regulations such as SOX, NIST CSF, CSA CCM, and ISO 27001. Following these enhancements, the client achieved a 60% reduction in control deficiencies identified during external audits, providing greater assurance over the robustness of their new cloud environment.

After the migration, we thoroughly tested the new controls, giving the client confidence in their cloud migration and IT environment. These improvements enabled the organisation to operate with increased agility and flexibility, while maintaining high standards of security and compliance. 

Contact our experts

Narcisse Vieira

Partner, Digital Assurance & Trust, Cloud Assurance Leader, PwC Switzerland

+41 75 413 18 69

Email

Julio Varas Hernandez

Senior Manager, Digital Assurance & Trust, Cloud Assurance, PwC Switzerland

Email