Knowledge Byte: What You Need to Know About Cloud Computing Audits

An audit is a systematic and independent verification of statements made by an enterprise. In the same way that a financial audit independently verifies the financial statements by management. A compliance audit verifies that the statement of compliance is accurate. The result of an audit is an assurance that the statement is correct.

The tools used by the auditor are dependent on the types of the statement made. In IT there are statements about technology and statements about management processes. Likewise, the tools used to collect information and evidence are wide-ranging.

An audit is likely to start with a review of existing documentation and earlier reports. This information is then extended and validated in interviews with staff and possibly other stakeholders of the enterprise. Information obtained from these sources is then validated and cross-checked with spot checks, samples, and observations. These can be manual or automatic. For example, most computer systems and applications contain configuration information and generate lots of Log files.

In the NIST cloud model, there is a specific mention of the Cloud Auditor, which conducts independent performance and security monitoring of cloud services.

Although every company is different, and each audit work will vary, but these are a few of the points that need to be accomplished while conducting audits:

• Audits can be conducted by internal departments or by external firms
• Agree on audit scope and phasing
• Audit result
• In a cloud context, the audit result is important to a larger number of stakeholders.

Requirements by Auditors

Some of the examples of things required by auditors are:

• Document standards and repository
• SLAs, Security policy, system description, control framework
• Evidence (documents, paper or digital)
• Process evidence (samples and spot checks)

Every audit has a scope; distinguishing what is checked and what is not checked. This scope is probably established by the stakeholder who is paying for the audit. The scope influences the amount of work involved by the auditor as well as by the organization that is being audited. The result of the audit is a report (sometimes called statement) by the auditor about the accuracy of the records or truth of the compliance. This is no more or less than an opinion by the auditor. When an auditor issues a verification of compliance, the auditor’s report may or may not include recommendations on how to address any issues that have been noted. In a cloud context, there are typically a lot of consumers, who are also interested in the audit statements. The consumer would like to rely on statements made by auditors but will have to be aware of the scope against which the audit was conducted.