fbpx Skip to content

Knowledge Byte: What You Need to Know About Cloud Computing Audits

84057392_3382513485109192_2570936499621068800_n

Cloud Credential Council (CCC)

CTA-222

An audit is a systematic and independent verification of statements made by an enterprise. In the same way that a financial audit independently verifies the financial statements by management. A compliance audit verifies that the statement of compliance is accurate. The result of an audit is an assurance that the statement is correct.

The tools used by the auditor are dependent on the types of the statement made. In IT there are statements about technology and statements about management processes. Likewise, the tools used to collect information and evidence are wide-ranging.

An audit is likely to start with a review of existing documentation and earlier reports. This information is then extended and validated in interviews with staff and possibly other stakeholders of the enterprise. Information obtained from these sources is then validated and cross-checked with spot checks, samples, and observations. These can be manual or automatic. For example, most computer systems and applications contain configuration information and generate lots of Log files.

In the NIST cloud model, there is a specific mention of the Cloud Auditor, which conducts independent performance and security monitoring of cloud services.

Although every company is different, and each audit work will vary, but these are a few of the points that need to be accomplished while conducting audits:

  • Audits can be conducted by internal departments or by external firms
  • Agree on audit scope and phasing
  • Audit result
  • In a cloud context, the audit result is important to a larger number of stakeholders.

Requirements by Auditors

Some of the examples of things required by auditors are:

  • Document standards and repository
  • SLAs, Security policy, system description, control framework
  • Evidence (documents, paper or digital)
  • Process evidence (samples and spot checks)

Every audit has a scope; distinguishing what is checked and what is not checked. This scope is probably established by the stakeholder who is paying for the audit. The scope influences the amount of work involved by the auditor as well as by the organization that is being audited. The result of the audit is a report (sometimes called statement) by the auditor about the accuracy of the records or truth of the compliance. This is no more or less than an opinion by the auditor. When an auditor issues a verification of compliance, the auditor’s report may or may not include recommendations on how to address any issues that have been noted. In a cloud context, there are typically a lot of consumers, who are also interested in the audit statements. The consumer would like to rely on statements made by auditors but will have to be aware of the scope against which the audit was conducted.

Related products to help you upskill

Never miss an interesting article

Get our latest news, tutorials, guides, tips & deals delivered to your inbox.

Please enter your name.
Please enter a valid email address.
Please check the required field.
Something went wrong. Please check your entries and try again.

Keep learning

PCSM-cover2

Knowledge Byte: 5 Key Cloud Management Roles

Cloud service management roles are not fully defined in a single framework or standard. In addition, the crossover among service management, the organization and cloud...
A Massive Influx Into Remote Work Creates an Opportunity for Hackers

A Massive Influx Into Remote Work Creates an Opportunity for Hackers

While the coronavirus pandemic has infected millions of people worldwide, sending people back to work and study from home, these new habits could benefit cybercriminals....
jurian article

ITIL® 4, Why Should You? What’s New?

By 2019, when ITIL® 4 was finally launched, ITIL had been the leading guidance for IT Service Management for the past three decades. Millions of...
Scroll To Top
Tweet
Share
Share