Qld auditor to target govt's management of cloud partners

Queensland's state auditor will investigate the public sector's management of cloud computing service providers over the coming year following the government's introduction of a cloud-first mandate for IT buying.

Last May Queensland became the first Australian government to require its agencies to consider cloud-based solutions as the default option in any new IT procurements.

To keep an eye on progress, the Queensland Audit Office this week revealed it would examine how government agencies are handling the management of cloud computing services.

The government watchdog published its proposed auditing schedule out to 2018 [pdf], revealing that during 2015-16 it will conduct an investigation into the "design, implementation, security and operating effectiveness of the management of ICT service providers for cloud computing".

"Cloud computing can be relatively easy to set up and fund," the QAO wrote.

"However, inadequate considerations of fit for purpose (sic), risk management and long term strategy could leave agencies with few or costly exit options in the event of unsatisfactory performance of the service providers or changes in agencies’ requirements."

Such management shortfalls have been blamed for Queensland Health's bungled payroll project [pdf], which will now cost an estimated $1.2 billion to rectify and complete.

The Queensland Audit Office said government agencies needed to have a "robust risk assessment and management approach for the ICT services provided by external providers".

"For the implementation of cloud computing, this includes balancing the security, scalability and value for money of public and private clouds," it said.

"A more secure but more expensive private cloud is restricted to a single enterprise. The public cloud provides scalability options but adopts ‘one size fits all’ for all enterprises sharing the infrastructure.

"Some risks in relation to public clouds include security, data and system integration, data and system portability, viability of the service provider, ICT governance and service level agreements."

The QAO's report is expected to be tabled before the end of 2016.