Office of the Inspector General

Audit of Cloud Computing at the Global Fund

28 June 2017

The Secretariat has generally improved IT controls since the last OIG IT audit in 2015 (GF-OIG-15-020). No significant data loss or service interruption has occurred since then. However, the lack of an overarching strategy and limited management of risks have affected the effective roll-out of cloud computing at the Global Fund.

The Global Fund’s IT Department has grown significantly since 2015 in line with the business needs of the organization. The OIG concluded that basic IT controls are now ‘partially effective’ and that the fundamental weaknesses and security gaps identified in 2015 have been materially addressed.

Cloud computing ‘is the delivery of on-demand computing resources from applications to data centers, over the internet, on a pay-for-use basis’ according to IBM. The Global Fund started using cloud computing as an approach to IT service delivery in 2014. Approximately 60% of IT infrastructure and applications are currently managed by external providers through cloud computing techniques, as well as related types of outsourced and hosted services. This has improved the flexibility of IT operations through better availability of services.

However, the OIG noted that the adoption of cloud computing as a general approach to service delivery is not guided by a clear strategy and implementation plan. This approach to limit services delivered directly through Global Fund infrastructure has compounded an already fragmented IT infrastructure. The Secretariat has also not considered the long-term impact of cloud computing on the organization. Cloud computing at the Global Fund has evolved naturally with neither a defined approach nor a roll out plan. The absence of a clearly formulated rationale and defined targets for cloud computing make it difficult to evaluate actual progress after three years of implementation.

The auditors also noted that there is limited management of the risks involved when cloud computing is put in place. Cloud computing generally results in the transfer of several IT risks to a cloud services provider. However, the IT risk profile of the organization changes such that there is increased exposure to other types of risk such as data management, supplier performance and legal risks. For instance, cloud computing enables the Global Fund to store data in various locations, which reduces the risk of total loss in case of a significant data incident. At the same time, this decrease in operational risk may also be accompanied by an increase in legal risk as the confidentiality of Global Fund data may be weaker if stored in countries that do not provide privileges and immunities to the organization and could subpoena its records.

Furthermore, there may be a risk that the Global Fund becomes too dependent on certain providers who could exploit this dependency to make unfavorable changes in contractual terms. These and similar risk trade-offs have not yet been formally assessed nor has the potential business impact been evaluated and, where necessary, led to clear mitigating actions.   

The Global Fund Secretariat is putting in place actions to address the risks identified by the OIG including developing an IT strategy, enhancing IT governance mechanisms and improving the management of IT risks.