Mastering Cloud Asset Management

Traditional information technology asset management (ITAM) is focused on physical IT assets, or hardware, and the management of installed software licenses. ITAM is a well-understood and well-established discipline, and many organizations follow its guidance. Traditionally, on-premises software is licensed and purchased, which requires capital investment by the organization. It is considered a financial asset and therefore is reported in financial statements.

Cloud services, on the other hand, are not financial assets. Cloud asset management (CAM) refers to applying the traditional concepts of ITAM to cloud services and resources.¹ As part of the rapid migration of on-premises IT hardware infrastructure to the cloud,² physical IT hardware assets, such as servers, modems, and storage devices, are increasingly being replaced by cloud resources. Cloud resources encompass cloud services or products such as virtual machines (VMs), storage services, databases, etc., that are broadly equivalent to on-premises IT assets.

Similarly, previously purchased software licenses are being replaced by software subscriptions. Software as a service (SaaS), for example, uses a model whereby monthly subscription fees are paid, which is an operational expense.

This accelerating transition from locally owned organizational IT assets to more abstract cloud-based resources poses a challenge to how organizations classify and manage their inventory. CAM offers a solution.

Two Methods of Managing Cloud Services

There are two methods of managing cloud services. The first method situates cloud resources as services that are not considered assets but are treated as operational expenses of the organization. For this method, cloud resource costs are managed through cloud cost management (CCM).³ CCM is mainly motivated by the treatment of cloud services as operational expenses. CCM utilizes cloud hyperscaler cost management and reporting tools and services to effectively manage and control the cost of utility-based (or pay-per-use) cloud services. It focuses primarily on limiting uncontrolled growth of cloud spend. The second method, CAM, extends the traditional ITAM principles to the cloud. According to CAM, cloud assets are recorded in the organization’s IT asset register and managed similarly to traditional IT assets.

What Is CAM?

CAM⁴ refers to identifying, tracking, and optimizing cloud services and resources. Cloud resources are the specific instances of services, applications, data, and infrastructure provided by cloud service providers (CSPs) contracted by the organization. Cloud resources are often intangible, dynamic, and distributed, necessitating a different organizational approach compared to traditional on-premises IT assets.

However, some aspects of asset management remain unchanged for cloud resources. For instance, cloud resources still require diligent management, just like traditional IT assets. This includes monitoring usage, ensuring security, and optimizing performance to maintain efficiency and cost effectiveness.

Organizations looking to implement CAM should be aware that cloud resources are services and not physical assets such as servers, personal computers, or printers. Traditional IT assets such as hardware and software are often approved through the organization’s capital budgeting process. Cloud resources are services that are treated as operational expenses. The life span of cloud resources such as containers and serverless computing platforms are often very short—just minutes and seconds.

Benefits of CAM

CAM can result in reduced capital and maintenance costs with the help of automation, which increases reliability and unlocks productivity gains. It also enables state-of-the-art cloud inventory management. This is achieved through the automatic discovery of cloud services, which enables the tracking of cloud resources in real time. An accurate centralized asset inventory provides reliable records, which underpins effective asset management. Cloud asset inventory visibility is crucial for cybersecurity assurance, compliance, and effective governance, since it provides accurate and reliable records. The life cycle of cloud assets can be optimized, resulting in reduced costs.

Comparing IT Assets and Cloud Services

There are many similarities between cloud services and IT assets. IT asset management, and therefore CAM, is enabled by an ITAM platform. The ITAM platform, which is often integrated with the IT service management platform, is used as an enabler of effective asset management.

The ITAM governance framework, including hardware access management (HAM) and software access management (SAM) policies and standard operating procedures, and the ITAM operating model, which includes roles and responsibilities, can be extended to encompass CAM.

Governance requirements for CAM are mostly the same because some cloud services fulfill a similar role in the organization as IT assets. Cost management is crucial for both cloud services and IT assets, as both must be optimized to ensure cost savings and eliminate underutilized assets and resources. A reliable and accurate inventory of IT assets (on-premises) and cloud resources is necessary to enable effective life cycle management. Reporting on cloud services and IT assets is crucial to enable optimization and ensure compliance and effective governance.

Extending ITAM to cloud services such as CAM enables integrated cost management across asset and cloud service portfolios. Organizations should strive to implement a single integrated GRC framework across the IT estate, including on-premises assets and cloud resources.

Cloud Services as Assets Under International Financial Reporting Standards
One of the main differences between traditional on-premises IT assets and their replacement—cloud services—lies in how they are treated by the accounting department and under which circumstances cloud services can be considered financial assets. The International Financial Reporting Standards (IFRS) define an asset as “a resource controlled by the entity as a result of past events and from which future economic benefits are expected to flow to the entity.”⁵ There are three potential asset types that could apply to cloud services, including infrastructure as a service (IaaS), platform as a service (PaaS), or SaaS. Cloud services may be classified as leases,⁶ intangible assets,⁷ and/or a prepaid expense asset as per IAS 38 Intangible Assets.⁸

Generally, from an accounting point of view, cloud services cannot be treated as assets and should be treated as operational expenses when they are incurred. One of the main value drivers of the cloud is to convert on-premises capital expenditure (CapEx), such as the purchase or lease of property, plant, and equipment, to operational costs that are paid for when the service is received. These services are consumed on a third party’s platform and the third party owns and controls the underlying physical infrastructure on which the platform resides. In most scenarios, the consumer of cloud services does not obtain control and therefore does not own an asset. Only in exceptional cases can SaaS customizations (when the modifications are distinct from the SaaS software and under the customer’s control) be treated as an intangible asset under IAS 38. This is an exceptional scenario because the customization of a SaaS solution would become obsolete if the customer ended their subscription to the service.

Under IAS 38, an organization can recognize a prepayment as an asset when payment for services is made before those services are received. An organization will, however, not be entitled to recognize an asset beyond the point at which the organization received the related services. So, a prepaid asset can be recognized if there is an upfront payment of subscription fees for a cloud service. An example is an organization paying upfront for three years of access to a SaaS package, or an organization paying upfront for a reserved cloud server for multiple years of use. Upfront payments are common as cloud providers incentivize them through discounts, offering better terms than on-demand pricing.

Can Assets Be Managed in the Cloud?

The main argument for CCM is that VMs, storage, and SaaS are not financial assets that can be depreciated. These resources are not recognized as leased assets because they do not meet the accounting requirements for the treatment of leased assets. Consequently, they are classified as operational expenses. No capital is invested in these services. In general, IT assets require capital investment by the organization and are often approved as part of the capital allocation process. The acquisition of these services does not follow the traditional capital approval process for IT-related CapEx. Furthermore, cloud services are also not reconciled with the financial assets in the financial system because they are not deemed financial assets.

Counter to this, the argument in favor of CAM includes several important points. With migration to the cloud comes a different approach to spending. The CapEx IT assets owned by the organization located on premises become operational expenditure (OpEx) for cloud services. However, these services replace traditional IT assets and fulfill the same role. There is a danger that ITAM will therefore become redundant or reduced, and that the well-established ITAM governance discipline will become obsolete.

Organizations may utilize private clouds, where physical assets are still deployed but in a cloud context. They also have the option of choosing a bring-your-own-license (BYOL) plan, which is a software asset. In these cases, ITAM still applies.

Similar to ITAM, cloud services have a link to IT configuration management. Cloud resources are another data source from which an integrated configuration management database is populated. Moreover, the discipline of CAM includes cloud cost management as seen in figure 1. Cloud cost management primarily focuses on effective management of cloud costs. However, CAM applies a broader focus that is virtually equivalent to ITAM, but with an added focus on cost management.

As a subcomponent of ITAM, CAM is subject to the same governance, risk, and compliance (GRC) aspects defined for IT assets, which are then extended to include cloud resources (or services). If this is not the case for the organization, a separate cloud cost management framework, policy, and governance structure must be created. CAM should be applied to cloud resources and services to ensure that cloud resources and services are well governed and optimized.

Mitigating CAM Risk

Similar to IT assets, there are risk factors associated with cloud services. These issues include the underutilization of subscribed cloud services and resources, the inability to effectively identify underutilized assets or services, and unoptimized cloud service portfolios, all of which can lead to financial losses and confusion. These risk sources can be mitigated by managing cloud resources and services as part of CAM, including the management of cloud resource life cycles and the optimization of service portfolios.

Another area of risk includes incomplete, inaccurate, and unreliable cloud service and asset records, and the difficulty of obtaining reliable cloud resource inventory management information due to various non-integrated data sources (e.g., usage of multi-cloud). These risk factors can be mitigated by building a single integrated IT asset inventory with various data sources that include cloud resources.

Another risk is the unclear assignment of cloud governance roles and responsibilities. Lack of assurance for the continuity of critical cloud services and potential cybersecurity incidents related to cloud services may occur due to inconsistent processes. Integrating CAM into existing ITAM governance structures and processes can help mitigate this risk.

Conclusion

Cloud asset management extends ITAM to encompass cloud services, which are rapidly replacing traditional physical assets with virtual ones. The traditional IT landscape is morphing into virtualized cloud services that fulfill the same role of traditional assets, but at a lower cost with enhanced efficiency. Organizations, however, still require well-defined governance policies and optimized asset or cloud service portfolios. ITAM is well understood and its extension to the cloud, including CCM, is essential. The governance⁹ principles embedded in ITAM should be applied to cloud services through CAM as part of the cloud governance maturity journey.¹⁰

The linchpin for optimizing value is through cloud transformation. Despite many hurdles, organizations are at a turning point. “Those that have already started their cloud journeys need to accelerate and refine their approaches; those that have not are quickly falling behind.”¹¹ Organizations looking to implement CAM into their processes should ensure that they integrate the mentioned governance principles to manage their cloud resources efficiently and responsibly.

Endnotes

¹ Biswajeet, M.; Betz, C.; et al.; “The Software Asset Management Solutions Landscape, Q3 2023,” Forrester, 11 August 2023
² Mazula, D.; Lamprecht, C.; “Redefining Enterprise Cloud Technology Governance,” Journal, vol. 3, 2023
³ Woo, T.; Nelson, L.; et al.; “Answers to Your Top Cloud Cost Management Questions,” Forrester, 20 April 2023, Woo, T.; Nelson, L.; et al.; “The Cloud Cost Management and Optimization Landscape Q1 2024,” Forrester, 11 March 2024, Woo, T.; Nelson, L.; et al.; “Top 10 Facts Tech Leaders Should Know About Cloud Cost Optimization,” Forrester, 2 August 2023
⁴ Wohlfarther, G.; “Cloud Asset Management: The Key to Cost Control in the Cloud,” LinkedIn, 5 February 2024
⁵ International Accounting Standards Board, “Conceptual Framework for Financial Reporting,” March 2018
⁶ PricewaterhouseCoopers, “Cloud Computing: Accounting Considerations for Software-as-a-Service,” October 2018
⁷ Ifrs.org, “Configuration or Customisation Costs in a Cloud Computing Arrangement (IAS 38 Intangible Assets),” April 2021, Ifrs.org, “Customer’s Right to Receive Access to the Supplier’s Software Hosted on the Cloud (IAS 38 Intangible Assets)— March 2019,” March 2019; PriceWaterhouse Coopers, “Cloud Computing: Accounting Considerations”
⁸ Ifrs.org, “IAS 38 Intangible Assets” 
⁹ PricewaterhouseCoopers (PwC), “Unlocking the Transformational Power of Cloud in Africa,” PwC Africa Cloud Business Survey 2023
¹⁰ Mazula, D.; Lamprecht, C.; “How to Conquer Your Cloud Governance Maturity Journey,” ISACA Now Blog, 31 July 2023
¹¹ PWC South Africa, Africa Cloud Business Survey 2023, 2023

DAVID MAZULA | CISA, CISM, CDPSE, CIA

Is a partner of the digital trust team at PricewaterhouseCoopers (PwC), Cape Town. He has more than 14 years of experience delivering systems audits, internal audits, business process improvements, and other technology risk and governance consulting services across various industries.

CASPER LAMPRECHT | CIA

Is a senior manager of the digital trust team at PwC, Cape Town. He specializes in IT governance and project and program assurance. He has more than 20 years of project management experience and 15 years of experience in IT risk and governance.

RICHARD SIMPSON | CA (SA)

Is a manager of the digital trust team at PwC, Cape Town. He specializes in IT risk and controls and has experience in external and internal IT auditing including cloud environments as well as consulting engagements with businesses. He has more than five years of experience in this space.