Cloud computing gets strategic: Reducing technology costs is just the starting point

1 | 2 | 3 | 4

pg. 2

How cloud changes the business

Capitalizing on cloud computing means being prepared for significant changes across the organization. The following describes just a few of the ways that cloud affects each functional area.


At the highest level, cloud computing becomes a new lens through which to view other business considerations. For example, how might competitors, particularly nimble start-ups or smaller organizations that are not wedded to legacy systems, use a cloud computing foundation to change industry dynamics? As the executive team identifies projected business benefits from using cloud computing and begins to articulate a strategy, it will also determine who is responsible for overseeing and implementing the strategy.


Cloud will eventually bring changes to every aspect of the finance function, including financial planning and analysis, accounting, and tax. One of the most obvious changes will be in evaluating the total cost of IT ownership. How does a cloud-based solution compare with the traditional approach? Additionally, companies will want to look at the budgeting and depreciation impact of moving from fixed IT costs to variable ones.

If a company is considering a private cloud, other considerations arise. For example, how will the investment be financed? And once it’s up and running, will the organization operate the cloud as a pay-as-you-go service by billing usage back to business units or departments—just like an external provider would?

At the highest level, cloud computing becomes a new lens through which to view other business considerations.

On the tax side, when companies buy (or sell) cloud computing services, they find it is crucial to determine exactly what is being exchanged. In a cloud computing scenario, a company might be leasing equipment, making service payments, or paying for a license to use software. Those distinctions are important and can have an impact on tax filings. Cloud computing transactions aren’t quite leases and aren’t quite services, but tax law requires that they be classified in one of those two categories. Eventually, tax regulations will be updated and clarified, but for now, they reside in a gray area.

Risk and governance

As did the disruptive technologies that preceded it—like the Web or e-commerce—cloud computing brings with it new risks to identify and address. Chief among them are security risks, particularly in the moving of company data to a third party for storage, processing, or support. These data integration and ownership concerns need to be addressed for the protection of intellectual property as well as to safeguard employee, customer, and partner information.

Again, questions arise: What controls are in place to ensure appropriate access to customer data and other sensitive information? How is one company’s data segregated from the data of other customers that use the same provider? What security-breach guards has the provider put in place? Even for companies establishing private clouds, security considerations exist, such as what type of security model is appropriate for the new environment.

As they raise these questions, companies establish the criteria by which they will identify and evaluate potential cloud computing providers. They will develop company standards and determine the appropriate service levels for their organizations. They will also think about oversight, such as who’s authorized to make the final decision about using cloud for a specific project or who’s authorized to engage a cloud vendor. With cloud services so readily available, companies that don’t establish adequate controls risk creating an environment that’s rife with so-called shadow IT—technology that is neither centrally managed nor approved and that does not typically meet the organization’s standards.

Companies reassess their strategy, looking at where cloud can accelerate projects or enable them to take advantage of new opportunities.

Companies considering those factors are also looking at whether providers can give third-party assurance about their operations. More and more cloud providers are undergoing a third-party assurance process—similar to the way more-traditional outsourcers undergo a SAS 70 audit of their controls and then furnish the report to customers and other stakeholders.1

While assurance standards are still evolving for cloud computing, providers realize that a report from an independent entity can ease customers’ concerns about security and privacy, among other issues.


Obviously, moving to cloud computing means thinking through many technical issues. For example, the management team will consider the organization’s migration strategy as well as how data that resides in the cloud will be integrated with existing systems or other outsourced functions. The team will also think about how a cloud strategy affects its ability to fully control and monitor applications even though the systems or infrastructure may reside outside the organization.

Beyond these more technical aspects, management will also assess the talent in its technology organization by ascertaining whether employees have the right skills to manage cloud-based infrastructures. Going forward, cloud computing will encourage organizations to adopt a service focus rather than a functional one. They’ll look at realigning operational resources to support business growth needs. And as their people develop expertise in cloud and enterprise architecture, they’ll contemplate how to retain valuable staff.

Other functions

As enterprise IT continues to evolve toward cloud-based solutions, other, less obvious corporate functions will feel the impact. For example, marketing and sales strategies may change as companies incorporate cloud models into their own R&D and product and service deliveries. Even a company’s legal department will need to rethink operations in light of cloud computing: Is the department prepared to review cloud-related risks and liabilities? How will electronic discovery, or eDiscovery, requirements for litigation be met?

1 A Statement on Auditing Standards (SAS) No. 70, Service Organizations, is a report on the system of internal control related to the processing of financial reporting transactions by service organizations. A SAS 70 report is commonly used for satisfying the user organization’s requirement to assess the internal controls over financial reporting of the functions they outsourced to service organizations.

1 | 2 | 3 | 4

pg. 2