# Auditing*

# Acronyms, Abbreviations, and Initialisms

# Glossary

An agreed-upon procedure is a standard a company or client outlines when it hires an external party to perform an audit on a specific test or business process. The procedures, which are called audit standards, are designed and agreed upon by the entity conducting the audit, as well as any appropriate third parties.

The auditor does not provide an opinion; rather, the entities or third parties form their own conclusions based on the report.

Auditability is collecting and making available necessary evidence related to the operation and use of the cloud.

To create an accurate frame of reference, a gap analysis is conducted. This is like a lightweight audit in that there are generally findings of weaknesses or vulnerabilities, but the purpose is to identify those weaknesses so they can be remediated prior to any actual audit work. It also provides a starting point for those organizations in the early stages of an information system program development, providing them with a clear starting point.

Gap analysis benchmarks and identifies relevant gaps against specified frameworks or standards. This includes reviewing the organization's current position/performance as revealed by an audit against a given standard.

The value of such an assessment is often determined based on what you did not know or for an independent resource to communicate to relevant management or senior personnel such risks, as opposed to internal resources saying what you need or should be doing.

Typically, resources or personnel who are not engaged or functioning within the area of scope perform gap analysis. The use of independent or impartial resources is best served to ensure there are no conflicts or favoritism. Perspectives gained from people outside the audit target are invaluable because they may see possibilities and opportunities revealed by the audit, whereas the personnel in the target department may be constrained by habit and tradition.

# Overview

Auditing forms an integral part of effective governance and risk management. It provides both an independent and an objective review of overall adherence or effectiveness of processes and controls. Audits verify compliance by determining whether an organization is following policy. This is not to be confused with verifying whether policy is actually effective. Testing is the term used to ensure policy is effective.

# Audit Planning

# 1. Define objectives

These high-level objectives should interpret the goals and outputs from the audit:

• Document and define the audit objectives.
• Define the audit outputs and format.
• Define the frequency and the audit focus.
• Define the required number of auditors and subject matter experts.
• Ensure alignment with internal audit and risk management processes.

# 2. Define scope

The organization is the entity involved in defining the audit scope. The phase includes the following core steps:

• Document the core focus and boundaries of the audit.
• Define the key components of services.
• Define the cloud services to be audited.
• Define the geographic locations that are permitted and required and those that are actually being audited.
• Define the key stages to audit.
• Document the CSP contracts.
• Define the assessment criteria and metrics.
• Document final reporting dates.

# 3. Conduct audit

When conducting an audit, keep the following issues in mind:

• Adequate staff
• Adequate tools
• Schedule
• Supervision of audit
• Reassessment

# 4. Refine/lessons learned

Ensure that previous reviews are adequately analyzed and taken into account, with the view to streamline and obtain maximum value for future audits. To ensure that cloud services auditing is both effective and efficient, several steps should be undertaken either as a standalone activity or as part of a structured framework.

• Ensure that the approach and scope are still relevant.
• Factor in any provider changes that have occurred.
• Ensure that reporting details are sufficient to enable clear, concise, and appropriate business decisions to be made.
• Determine opportunities for reporting improvement and enhancement.
• Ensure that duplication of efforts is minimal (crossover or duplication with other audit and risk efforts).
• Make sure that audit criteria and scope are still accurate, factoring in business changes.
• Have a clear understanding of what levels of information and details can be collected using automated methods and mechanisms.
• Ensure that the right skillsets are available and utilized to provide accurate results and reporting.
• Ensure that the PDCA is also applied to the CSP auditing planning and processing.
• These phases may coincide with other audit-related activities and be dependent on organizational structure. They may be structured (often influenced by compliance and regulatory requirements) or reside with a single individual (not recommended).

# Audit Responsibilities

# Internal Audit

Organizations need ongoing assurances from providers that controls are put in place or are in the process of being identified. Internal audit acts as a third line of defense after the business or IT functions and risk management functions.

• Audit can provide independent verification of the cloud program's effectiveness giving assurance to the board with regard to the cloud risk exposure.
• Internal audit can also play the role of trusted advisor and proactively work with IT and the business in identifying and addressing the risk associate with third-party providers. This allows a risk-based approach to moving systems to the cloud.

# External Audit

An external audit is typically focused on the internal controls over financial reporting. Therefore, the scope of services is usually limited to the IT and business environments that support the financial health of an organization and in most cases doesn't provide specific assurance on cloud risks other than vendor risk considerations on the financial health of the CSP.