{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,20]],"date-time":"2026-05-20T08:31:22Z","timestamp":1779265882977,"version":"3.51.4"},"reference-count":50,"publisher":"American Accounting Association","issue":"3","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2016,9,1]]},"abstract":"<jats:title>ABSTRACT<\/jats:title>\n               <jats:p>Cloud computing services are finding rapid adoption as organizations seek cost reduction, technical expertise, flexibility, and adaptable mechanisms to attain advantages in fast-moving business environments. The related considerations of governance, audit, and assurance of cloud computing services might be inadvertently overlooked in a rush to adopt these cloud services. This paper focuses on cloud computing governance and audit issues by presenting research questions informed by both practice and research. A cloud computing ecosystem is presented and an IT Governance framework (Wilkin and Chenhall 2010) is referenced as a means to structure research questions. Key issues of risk, security, monitoring, control, and compliance should be considered early in the cloud services decision process. The tight coupling of intercompany operations between the cloud client and cloud provider(s) forms an interdependent, operationally coupled ecosystem. Planned governance is needed to achieve a well-governed, functional, and secure cloud computing environment. The audit role is complicated when the organization's financial data and\/or critical applications are hosted externally with a cloud service provider that may use other cloud service providers.<\/jats:p>","DOI":"10.2308\/isys-51494","type":"journal-article","created":{"date-parts":[[2016,6,10]],"date-time":"2016-06-10T17:21:08Z","timestamp":1465579268000},"page":"173-189","source":"Crossref","is-referenced-by-count":19,"title":["Business in the Cloud: Research Questions on Governance, Audit, and Assurance"],"prefix":"10.2308","volume":"30","author":[{"given":"Pamela J.","family":"Schmidt","sequence":"first","affiliation":[{"name":"Washburn University"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jason T.","family":"Wood","sequence":"additional","affiliation":[{"name":"PricewaterhouseCoopers"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Severin V.","family":"Grabski","sequence":"additional","affiliation":[{"name":"Michigan State University"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1112","published-online":{"date-parts":[[2016,6,1]]},"reference":[{"key":"2024082915293456200_i1558-7959-30-3-173-Ackermann1","article-title":"Taxonomy of technological IT outsourcing risks: Support for risk identification and quantification","author":"Ackermann","year":"2011","journal-title":"Proceedings of the European Conference on Information Systems (ECIS)"},{"key":"2024082915293456200_i1558-7959-30-3-173-Amazoncom1","unstructured":"Amazon.com. 2015. Introduction to Auditing the Use of AWS. Available at: http:\/\/d0.awsstatic.com\/whitepapers\/compliance\/AWS_Auditing_Security_Checklist.pdf via website: http:\/\/aws.amazon.com\/compliance\/aws-whitepapers\/ (last accessed March 16, 2016)."},{"key":"2024082915293456200_i1558-7959-30-3-173-AmericanInstituteofCertifiedPublicAccountantsAICPA1","unstructured":"American Institute of Certified Public Accountants (AICPA). 2015. Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2\u00ae)-AICPA Guide. Available at: http:\/\/www.cpa2biz.com\/AST\/Main\/CPA2BIZ_Primary\/AuditAttest\/IndustryspecificGuidance\/PRDOVR\u223cPC-0128210\/PC-0128210.jsp"},{"key":"2024082915293456200_i1558-7959-30-3-173-ASECAICPA1","unstructured":"ASEC\/AICPA. 2014. Trust Services Principles, and Criteria. Available at: http:\/\/www.cpa2biz.com\/AST\/Main\/CPA2BIZ_Primary\/AuditAttest\/Standards\/PRDOVR\u223cPC-TSPC13\/PC-TSPC13.jsp"},{"issue":"4","key":"2024082915293456200_i1558-7959-30-3-173-Bapna1","doi-asserted-by":"crossref","first-page":"785","DOI":"10.1287\/isre.1100.0328","article-title":"Cooperation, coordination, and governance in multisourcing: An agenda for analytical and empirical research","volume":"21","author":"Bapna","year":"2010","journal-title":"Information Systems Research"},{"key":"2024082915293456200_i1558-7959-30-3-173-Briscoe1","doi-asserted-by":"publisher","DOI":"10.1109\/DEST.2009.5276725","article-title":"Digital ecosystem in the clouds: Towards community cloud computing","author":"Briscoe","year":"2009"},{"issue":"6","key":"2024082915293456200_i1558-7959-30-3-173-Buyya1","doi-asserted-by":"crossref","first-page":"599","DOI":"10.1016\/j.future.2008.12.001","article-title":"Cloud computing and emerging IT platforms: Vision, hype, and reality for delivering computing as the 5th utility","volume":"25","author":"Buyya","year":"2009","journal-title":"Future Generation Computer Systems"},{"key":"2024082915293456200_i1558-7959-30-3-173-CloudSecurityAlliance1","unstructured":"Cloud Security Alliance. 2015. Cloud Controls Matrix v3.0.1. Available at: https:\/\/cloudsecurityalliance.org\/download\/cloud-controls-matrix-v3-0-1\/"},{"key":"2024082915293456200_i1558-7959-30-3-173-CommitteeofSponsoringOrganizationsoftheTreadwayCommissionCOSO1","unstructured":"Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2012. Enterprise Risk Management for Cloud Computing. Available at: http:\/\/www.coso.org"},{"key":"2024082915293456200_i1558-7959-30-3-173-Crowe1","unstructured":"Crowe, K., and D. Scally. \n          2015\n          .\n          What Directors Think: 2015: A Corporate Board Member\/Spencer Stuart Survey. Available at: https:\/\/www.nyse.com\/WDT2015"},{"key":"2024082915293456200_i1558-7959-30-3-173-DeHaes1","doi-asserted-by":"crossref","DOI":"10.17705\/1CAIS.02224","article-title":"An exploratory study into the design of an IT governance minimum baseline through Delphi Research","author":"De Haes","year":"2008","journal-title":"Communications of the Association for Information Systems"},{"key":"2024082915293456200_i1558-7959-30-3-173-Fairchild1","doi-asserted-by":"crossref","first-page":"145","DOI":"10.1007\/978-1-4471-6452-4_6","article-title":"Patterns of trust: Role of certification for SME cloud adoption","author":"Fairchild","year":"2014","journal-title":"Continued Rise of the Cloud: Advances and Trends in Cloud Computing"},{"key":"2024082915293456200_i1558-7959-30-3-173-FedRAMP1","unstructured":"FedRAMP. 2015a. FedRAMP 3PAO Obligations and Performance Guide. Version 1.0(July 29). Available at: https:\/\/www.fedramp.gov\/files\/2015\/07\/3PAO-Obligations-and-Performance-Guide-v1.0.pdf"},{"key":"2024082915293456200_i1558-7959-30-3-173-FedRAMP2","unstructured":"FedRAMP. 2015b. FedRAMP Security Assessment Framework. Version 2.1(December 4). Available at: https:\/\/www.fedramp.gov\/files\/2015\/01\/FedRAMP-Security-Assessment-Framework-v2-1.pdf"},{"key":"2024082915293456200_i1558-7959-30-3-173-Fortis1","doi-asserted-by":"crossref","first-page":"265","DOI":"10.1007\/978-1-4471-6452-4_11","article-title":"From cloud management to cloud governance","author":"Fortis","year":"2014","journal-title":"Continued Rise of the Cloud"},{"key":"2024082915293456200_i1558-7959-30-3-173-Grabski1","article-title":"Proposing a cloud computing capability maturity model","author":"Grabski","year":"2014"},{"issue":"1","key":"2024082915293456200_i1558-7959-30-3-173-Grabski2","doi-asserted-by":"crossref","first-page":"37","DOI":"10.2308\/jis.2011.25.1.37","article-title":"A review of ERP research: A future agenda for accounting information systems","volume":"25","author":"Grabski","year":"2011","journal-title":"Journal of Information Systems"},{"key":"2024082915293456200_i1558-7959-30-3-173-Halpert1","doi-asserted-by":"crossref","unstructured":"Halpert, B. \n          \n          2011. Auditing Cloud Computing: A Security and Privacy Guide 21. New York, NY: John Wiley & Sons.","DOI":"10.1002\/9781118269091"},{"key":"2024082915293456200_i1558-7959-30-3-173-iLand1","unstructured":"iLand. 2016. Meeting IT Compliance Requirements. Available at: http:\/\/www.iland.com\/services\/compliance\/"},{"key":"2024082915293456200_i1558-7959-30-3-173-InformationTechnologyGovernanceInstituteITGI1","unstructured":"Information Technology Governance Institute (ITGI). 2003. Board Briefing on IT Governance. Second edition. Available at: http:\/\/www.isaca.org\/restricted\/Documents\/26904_Board_Briefing_final.pdf"},{"key":"2024082915293456200_i1558-7959-30-3-173-InternationalFederationofAccountantsIFAC1","unstructured":"International Federation of Accountants (IFAC). 2010. Assurance Reports on Controls at a Service Organization. International Standard on Assurance Engagements (ISAE) 3402. Available at: http:\/\/www.ifac.org\/system\/files\/downloads\/b014-2010-iaasb-handbook-isae-3402.pdf"},{"key":"2024082915293456200_i1558-7959-30-3-173-InternationalTelecommunicationUnionITUT1","unstructured":"International Telecommunication Union (ITU-T). 2012. Focus Group on Cloud Computing Technical Report. Available at: https:\/\/www.itu.int\/dms_pub\/itu-t\/opb\/fg\/T-FG-CLOUD-2012-P1-PDF-E.pdf"},{"key":"2024082915293456200_i1558-7959-30-3-173-ISACA1","unstructured":"ISACA. 2011. IT Control Objectives for Cloud Computing: Controls and Assurance in the Cloud. Available at: http:\/\/www.isaca.org\/Knowledge-Center\/Research\/ResearchDeliverables\/Pages\/IT-Control-Objectives-for-Cloud-Computing-Controls-and-Assurance-in-the-Cloud.aspx (last accessed May 10, 2015)."},{"key":"2024082915293456200_i1558-7959-30-3-173-ISACA2","unstructured":"ISACA. 2012. COBIT 5: A Business Framework for the Governance and Management of Enterprise IT. Available at: http:\/\/www.isaca.org\/COBIT\/Pages\/default.aspx (last accessed December 10, 2015)."},{"key":"2024082915293456200_i1558-7959-30-3-173-ISACA3","unstructured":"ISACA. 2013. COBIT 5 for Assurance. Available at: http:\/\/www.isaca.org\/COBIT\/Pages\/Assurance-product-page.aspx?cid=1001099&Appeal=SEM&gclid=CJa-3fz20MACFSdk7AodbWAAXQ (last accessed March 12, 2016)."},{"key":"2024082915293456200_i1558-7959-30-3-173-ISACA4","unstructured":"ISACA. 2014. Controls and Assurance in the Cloud: Using COBIT\u00ae 5. Available at: http:\/\/www.isaca.org\/Knowledge-Center\/Research\/ResearchDeliverables\/Pages\/Controls-and-Assurance-in-the-Cloud-Using-COBIT-5.aspx"},{"issue":"2","key":"2024082915293456200_i1558-7959-30-3-173-Iyer1","first-page":"117","article-title":"Preparing for the future: Understanding the seven capabilities of cloud computing","volume":"9","author":"Iyer","year":"2010","journal-title":"Management Information Systems Quarterly Executive"},{"key":"2024082915293456200_i1558-7959-30-3-173-Liu1","doi-asserted-by":"crossref","unstructured":"Liu, F., \n            \n              J. Tong, \n            \n              J. Mao, \n            \n              R. Bohn, \n            \n              J. Messina, \n            \n              L. Badger, and D. Leaf. \n          2011. NIST Cloud Computing Reference Architecture: Recommendations of the National Institute of Standards and Technology. Special Publication500-292. Gaithersburg, MD: National Institute of Standards and Technology, U.S. Department of Commerce.","DOI":"10.6028\/NIST.SP.500-292"},{"key":"2024082915293456200_i1558-7959-30-3-173-Mahmood1","doi-asserted-by":"crossref","unstructured":"Mahmood, Z. \n          \n          2014. Continued Rise of the Cloud. London, U.K.: Springer.","DOI":"10.1007\/978-1-4471-6452-4"},{"key":"2024082915293456200_i1558-7959-30-3-173-Mell1","unstructured":"Mell, P., and T. Grance. \n          2011. The NIST Definition of Cloud Computing, National Institute of Standards and Technology, U.S. Department of Commerce. Special Publication800-145. Gaithersburg, MD: National Institute of Standards and Technology, U.S. Department of Commerce."},{"key":"2024082915293456200_i1558-7959-30-3-173-Mont1","article-title":"Cloud security is a challenge for users and providers","author":"Mont","year":"2015","journal-title":"Compliance Week"},{"key":"2024082915293456200_i1558-7959-30-3-173-PanoramaConsultingSolutions1","unstructured":"Panorama Consulting Solutions. 2015. The 2015 ERP Report. Available at: http:\/\/panorama-consulting.com\/resource-center\/2015-erp-report\/"},{"issue":"4","key":"2024082915293456200_i1558-7959-30-3-173-Pearson1","doi-asserted-by":"crossref","first-page":"64","DOI":"10.1109\/MIC.2011.98","article-title":"Towards accountability in the cloud: View from the cloud","volume":"15","author":"Pearson","year":"2011","journal-title":"IEEE Internet Computing, IEEE Computer Society"},{"key":"2024082915293456200_i1558-7959-30-3-173-PonemonInstitute1","unstructured":"Ponemon Institute. 2014. Data Breach: The Cloud Multiplier Effect. Available at: https:\/\/www.netskope.com\/reports\/ponemon-2014-data-breach-cloud-multiplier-effect\/"},{"key":"2024082915293456200_i1558-7959-30-3-173-Risen1","article-title":"Snowden says he took no secret files to Russia","author":"Risen","year":"2013","journal-title":"New York Times"},{"key":"2024082915293456200_i1558-7959-30-3-173-Ritteninghouse1","unstructured":"Ritteninghouse, J. W., and J. F. Ransome. \n          2010. Cloud Computing: Implementation, Management and Security. Boca Raton, FL: CRC Press."},{"key":"2024082915293456200_i1558-7959-30-3-173-Schmitt1","article-title":"In disclosing secret documents, WikiLeaks seeks \u201ctransparency.\u201d","author":"Schmitt","year":"2010","journal-title":"New York Times"},{"key":"2024082915293456200_i1558-7959-30-3-173-Scribd1","unstructured":"Scribd. 2015.FedRAMP Baseline Security Controls v1.0. Available at: http:\/\/www.scribd.com\/doc\/77401829\/FedRAMP-Baseline-Security-Controls-v1-0#"},{"key":"2024082915293456200_i1558-7959-30-3-173-Segal1","first-page":"17","article-title":"Defining risk appetite","author":"Segal","year":"2006","journal-title":"Risk Management"},{"issue":"5","key":"2024082915293456200_i1558-7959-30-3-173-Sotomayor1","doi-asserted-by":"crossref","first-page":"14","DOI":"10.1109\/MIC.2009.119","article-title":"An open source solution for infrastructure management in private and hybrid clouds","volume":"13","author":"Sotomayor","year":"2009","journal-title":"IEEE Internet Computing, Special Issue on Cloud Computing I"},{"issue":"4","key":"2024082915293456200_i1558-7959-30-3-173-Stamas1","first-page":"177","article-title":"The business transformation payoffs of cloud services at Mohawk","volume":"13","author":"Stamas","year":"2014","journal-title":"Management Information Systems Quarterly Executive"},{"issue":"3","key":"2024082915293456200_i1558-7959-30-3-173-Tallon1","doi-asserted-by":"crossref","first-page":"227","DOI":"10.2753\/MIS0742-1222240308","article-title":"A process-oriented perspective on the alignment of information technology and business strategy","volume":"24","author":"Tallon","year":"2007","journal-title":"Journal of Management Information Systems"},{"key":"2024082915293456200_i1558-7959-30-3-173-EconomistIntelligenceUnit1","unstructured":"The Economist Intelligence Unit. 2014. Mapping the Cloud Maturity Curve: The Fundamental Five. Available at: http:\/\/resources.idgenterprise.com\/original\/AST-0141169_EIU_Fundamental_five_Dec2014.pdf"},{"key":"2024082915293456200_i1558-7959-30-3-173-Truong1","doi-asserted-by":"crossref","first-page":"75","DOI":"10.1007\/s00607-010-0120-1","article-title":"Cloud computing for small research groups in computational science and engineering: Current status and outlook","volume":"91","author":"Truong","year":"2011","journal-title":"Computing"},{"key":"2024082915293456200_i1558-7959-30-3-173-Vijayan1","unstructured":"Vijayan, J. \n          \n          2014. Shadow Cloud Services Pose a Growing Risk to Enterprises. Available at: http:\/\/www.computerworld.com\/article\/2598551\/malware-vulnerabilities\/shadow-cloud-services-pose-a-growing-risk-to-enterprises.html"},{"key":"2024082915293456200_i1558-7959-30-3-173-Weill1","unstructured":"Weill, P., and J. Ross. \n          2004. IT Governance: How Top Performers Manage IT Decision Rights for Superior Results. Boston, MA: Harvard Business School Press."},{"issue":"2","key":"2024082915293456200_i1558-7959-30-3-173-Wilkin1","doi-asserted-by":"crossref","first-page":"107","DOI":"10.2308\/jis.2010.24.2.107","article-title":"A review of IT governance: A taxonomy to inform accounting information systems","volume":"24","author":"Wilkin","year":"2010","journal-title":"Journal of Information Systems"},{"key":"2024082915293456200_i1558-7959-30-3-173-Wood1","doi-asserted-by":"crossref","unstructured":"Wood, J., \n            \n              W. Brown, and H. Howe. \n          2013. IT Auditing and Application Controls for Small and Mid-Sized Enterprises. 1st edition. New York, NY: John Wiley & Sons Inc.","DOI":"10.1002\/9781118801024"},{"issue":"3","key":"2024082915293456200_i1558-7959-30-3-173-Yigitbasioglu1","doi-asserted-by":"crossref","first-page":"193","DOI":"10.3127\/ajis.v18i3.1052","article-title":"Modelling the intention to adopt cloud computing services: A transaction cost theory perspective","volume":"18","author":"Yigitbasioglu","year":"2014","journal-title":"Australasian Journal of Information Systems"},{"issue":"3","key":"2024082915293456200_i1558-7959-30-3-173-Zhang1","doi-asserted-by":"crossref","first-page":"492","DOI":"10.1002\/sec.740","article-title":"Verifying cloud service-level agreement by a third-party auditor","volume":"7","author":"Zhang","year":"2014","journal-title":"Security and Communication Networks"}],"container-title":["Journal of Information Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/publications.aaahq.org\/jis\/article-pdf\/30\/3\/173\/8328\/isys-51494.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/publications.aaahq.org\/jis\/article-pdf\/30\/3\/173\/8328\/isys-51494.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,8,29]],"date-time":"2024-08-29T17:03:39Z","timestamp":1724951019000},"score":1,"resource":{"primary":{"URL":"https:\/\/publications.aaahq.org\/jis\/article\/30\/3\/173\/1049\/Business-in-the-Cloud-Research-Questions-on"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2016,6,1]]},"references-count":50,"journal-issue":{"issue":"3","published-online":{"date-parts":[[2016,6,1]]},"published-print":{"date-parts":[[2016,9,1]]}},"URL":"https:\/\/doi.org\/10.2308\/isys-51494","relation":{},"ISSN":["1558-7959","0888-7985"],"issn-type":[{"value":"1558-7959","type":"electronic"},{"value":"0888-7985","type":"print"}],"subject":[],"published":{"date-parts":[[2016,6,1]]}}}