There is general consensus amongst researchers that most South African companies are not yet ready to
comply with the Protection of Personal Information Act No. 4 of 2013 (the POPI Act) as they lack the
necessary skills, knowledge and understanding to effect such compliance. Whilst the flow of personal
information to trans border clouds is lawful according to section 72 of the POPI Act, and cloud services offer
benefits such as cost savings and agility, it has been determined that companies are yet to take cognisance of
the fact that there are risks associated with such transfers. Five preeminent emerging risks associated with
cloud data storage include data location, security, privacy, legal compliance and the cloud service providers
themselves. Because of their role as assurance providers, with knowledge about organisational strategy,
processes and operations, internal auditors are found to be uniquely positioned within companies to assist
effectively with risk management as required by The Institute of Internal Auditors’ International Standards for
the Professional Practice of Internal Auditing and the corporate governance standards presented in King III.
Internal auditors have been shown to be able to assist in mitigating each of the five emerging risks through
their effective auditing of contracts, policies, procedures and controls, which ultimately results in effective
advice and assurance for boards, management and stakeholders.