Compliance

Earning customer trust through a pandemic: delivering our 2020 CCAG pooled audit

#gcp

At Google Cloud, we work closely with customers who want to assess and verify the security of our platform. Take as an example our recent collaboration with the Collaborative Cloud Audit Group (CCAG). As our customers increased their use of cloud services to meet the demands of teleworking and aid in COVID-19 recovery, we’ve worked hard to meet our commitment to being the industry’s most trusted cloud, despite the global pandemic. That’s why we are proud to announce that Google Cloud completed an annual pooled audit with the CCAG in a completely remote setting, and was the only cloud service provider to do so in 2020.  

The CCAG is a syndicate of 39 leading European financial institutions and insurance companies who depend on cloud infrastructure and technologies to deliver innovative solutions and experiences for their customers. For these institutions, managing the risks associated with outsourcing material workloads and satisfying strict national and EU regulatory obligations is of critical importance. Carrying out cloud audits at scale is resource intensive, and CCAG members exercise their audit rights by combining the audit scope and fieldwork into one unified annual engagement. Pooled audits of cloud service providers, as stipulated in the European Banking Authority’s Guidelines on outsourcing arrangements, help streamline the audit process and decrease the organisational burden on both the CCAG members and their providers, like Google.

Hamidou Dia, vice president for Solutions Engineering at Google Cloud, whose team spearheaded the audit, reflected on how initiatives such as pooled audits can bolster customer trust: 

“The financial services industry is rapidly changing to meet rising customer expectations and growing regulatory compliance requirements,” Dia said. “We offer verifiable transparency to our customers, so they can confidently and securely leverage Google’s innovative cloud technologies to digitally transform their business and the industry as a whole. We are pleased to partner with CCAG, who are emerging as global leaders in setting the framework for efficient and effective pooled audit assessments.”

The COVID-19 pandemic required CCAG and Google to re-imagine the 2020 audit process, which is traditionally performed via onsite meetings and inspections. We instead relied on the security and collaboration capabilities of Google Drive and Google Meet to store and access evidence exhibits, and to meet with subject matter experts. During each phase of the approximately six-month engagement period, the audit teams worked openly and transparently through both offline and interactive sessions to validate Google Cloud’s policies, processes, and technologies. 

“This is the first time we worked completely remotely and we all learned a lot. We were able to complete the audit fieldwork and Google offered CCAG  extensive transparency into their processes and live systems,” said Christina Hepp, divisional head IT, Operations & Sourcing Group Audit, Commerzbank. “Regulators consider a cloud provider’s controls as part of our internal control system and expect us to audit these as such. We were able to verify documentation, reviewed samples, and interviewed subject matter experts to reasonably satisfy the CCAG participating members’ individual risk assessments.”

Our annual pooled audits provide the necessary risk assessments and assurances for CCAG members to accelerate their digitization efforts and journey onto the cloud. To help build that trust, we must provide verifiable transparency and remove challenges to security and compliance. We are committed to being a dedicated digital transformation partner and continue to evolve with our customers to meet their regulatory obligations. To learn more about Google Cloud Trust & Compliance, visit our Compliance resource center.