Many companies are likely to rush in to using cloud services without managing the concomitant risks it brings to the business. The use of cloud services can quickly become catastrophic for companies that store critical information assets in the cloud. If the management does not take the necessary provisions, it can affect the going concern of the companies. The objective of this thesis is to analyse how companies can manage risks arising from the use of cloud solutions with focus on going concern and on how the management of risks affect the audit. Throughout the thesis, we will especially draw attention to and discuss the Danish Companies Act and the Annual Accounts Act. These laws will set the foundation of requirements and responsibilities for risk assessment and internal controls to the management of the company. From a business and management perspective, it will be analyzed how these two acts define how the company complies with the regulation, when placing information assets in a cloud solution. The risk assessment is approached by using relevant elements from the COSO Enterprise Risk Management framework. Based on the findings in the analysis, we will give recommendations on how the management could respond to identified risks and thereby secure its critical information assets in a cloud solution. Due to company’s use of cloud solutions, the approach of the audit is changed. It will be analysed how the auditor can address general it-controls (GITC), when critical information assets are placed in a cloud solution. The analysis will address what steps the auditor could take in order to meet the requirements stated in the International Standards of Auditing 315 and 570. A part of the audit of GITC will be based on an ISAE 3402 report and a part will be based of supplementary actions of the auditor. Based on the conclusions we will provide recommendation to the auditor on how to approach the audit of a cloud solution. Companies must be cautious with which information assets they chose to place in a cloud solution. In order for the company to manage and reduce risks by the use of cloud solutions, they must monitor their critical information assets and events that could compromise the confidentiality, integrity and availability. In comparison the auditor should be aware of events that could result in significant and increasing risks that can affect the companies going concern. The auditor should review the ISAE 3402 report made by the cloud providers auditor, and it should be reassured that the GITC’s are addressed in the report as if the report was crafted by the auditor himself, meaning that an exhaustive auditing is needed.
|Uddannelser||Cand.merc.aud Regnskab og Revision, (Kandidatuddannelse) Afsluttende afhandling|