Audit Process, Methodologies, and Cloud Applications
- Virtualization
- complicates auditing
- hard for the auditor to identify all machines in scope
- need to access management console
- cloud control mechanisms may not be understood by auditor
- Scope
- audit scope is complicated by the different cloud service models
- location of data may be in/out of scope depending on country
- when auditing an org,
- check the scope of data that is used by the CSP
- may need to check CSP’s controls
- Gap analysis
- auditors should not take part in recommending how to close gaps
- may lead to conflict of interest
- the affected department of the org should also not take part in gap analysis
- instead, personnel from outside the target departments should do the review
- more likely to offer unbiased opinions and suggestions
- Restrictions on Audit Scope Statements
- auditor can issue a “scope limitation” statement if an org has not disclosed sufficient information to perform a successful and fair audit
- indicates that the auditor was unable to render a professional judgement
- can also issue a “disclaimer of opinion”
- states that the audit report is not complete
- should not be taken as wholly accurate
- Common audit standards require auditors to note any restrictions on audit scope that may materially impact the quality of the audit
- Policies
- in cloud, more emphasis is placed on policies where customer has some control
- e.g., access controls, data storage and recovery
- policies more relevant in the cloud:
- remote access
- password management
- encryption
- how duties and responsibilities are separated and managed
- Audit Reports