Moving IT infrastructure and processes to the cloud promises huge benefits, efficiency gains, and long-term value creation. However, many organisations struggle to realise the full potential of the cloud because they cannot fully control the cloud environment and manage the cloud-related risks. Any migration to the cloud transfers some of the security responsibilities to a third party. Cloud assurance and trust in technology partners are therefore paramount for a successful cloud transformation.
"By assessing the client's readiness for cloud adoption, we were able to empower them to manage the risks associated with the cloud migration. They were able to adapt internal controls and close risk gaps.”
Narcisse VieiraCloud Assurance Partner, Digital Assurance & TrustOur client, a leading Swiss luxury goods company, was striving to improve the efficiency of its IT delivery. In order to enhance and improve services, they wanted to adopt a 'data centre less' strategy, with the expectation of moving 80% of their IT infrastructure to the cloud over the course of three years. This intention of the migration to a cloud-based Infrastructure as a Service (IaaS) was to reduce time-to-market and gain more customer proximity.
The client was aware that as a consequence of the cloud transition, the risk profile would also change and that they needed to establish a clear strategy for governance, compliance, and data access prior to the move to the cloud. With the outsourcing of competencies to a third party in relation to cloud migration, risks potentially increase if not managed by appropriate controls. Changes in the risk profile could have a particular impact on internal controls for financial reporting, as the cloud represents a fundamental technological shift in the underlying infrastructure of key financial applications.
To ensure that the cloud migration was carried out in compliance with all security requirements and that all cloud services are meeting the highest security standards, our PwC team had to identify the new risks arising from the transformation and the new control requirements.
Together with the client, we conducted a governance and readiness assessment and – after the cloud migration – a post-implementation review.
The readiness assessment enabled the client to make sure that internal controls would hold up both internally and in an external audit.
The second phase of the project, the post-implementation review, ensured the effectiveness of operations, processes, and controls in the new cloud environment. After the migration of the first financial systems, we tested the cloud adaptations for access management, logging and monitoring, and data migration. This review also covered the operating effectiveness of the IT general controls (ITGCs) including cloud adaptation as part of the regular ITGCs testing.
"Three years ago, we started moving our entire IT infrastructure to the cloud to reduce time-to-market and increase customer proximity. We faced the challenges of a large, heterogeneous IT infrastructure, a decentralised organisation and limited experience with the cloud. PwC helped us in different phases throughout that transformation, to update our controls to monitor and mitigate transformation risks."
Project SponsorA leading Swiss luxury goods company and client of PwC SwitzerlandOver the course of the three-year project, we assessed the client’s readiness to move their IT operations to the cloud by evaluating the cloud-related risks and helping them to address these effectively. Working closely with the client, we supported the adaptation of their IT operating model, including updating their control framework and assessing the design of new controls. As a result, more than 90% of the IT infrastructure was successfully migrated within the planned timeline, with 75% of manual deployment processes automated. In addition, we redesigned over 40 key controls and introduced 20 new cloud-specific controls, all benchmarked against leading industry frameworks and regulations such as SOX, NIST CSF, CSA CCM, and ISO 27001. Following these enhancements, the client achieved a 60% reduction in control deficiencies identified during external audits, providing greater assurance over the robustness of their new cloud environment.
After the migration, we thoroughly tested the new controls, giving the client confidence in their cloud migration and IT environment. These improvements enabled the organisation to operate with increased agility and flexibility, while maintaining high standards of security and compliance.
Julio Varas Hernandez
Senior Manager, Digital Assurance & Trust, Cloud Assurance, PwC Switzerland