The audit/assurance program is a tool and template to be used as a road map for the completion of a specific assurance process. ISACA has commissioned audit/assurance programs to be developed for use by IT audit and assurance professionals with the requisite knowledge of the subject matter under review, as described in ITAF section 2200—General Standards. The audit/assurance programs are part of ITAF section 4000—IT Assurance Tools and Techniques.

Objective—The cloud systems audit/assurance review will:

  • Provide stakeholders with an assessment of the effectiveness of the cloud computing service provider’s internal controls and security
  • Identify internal control deficiencies within the customer organization and its interface with the service provider
  • Provide audit stakeholders with an assessment of the quality of and their ability to rely upon the service provider’s attestations regarding internal controls.

It is not designed to replace or focus upon audits that provide assurance of specific application processes and excludes assurance of an application’s functionality and suitability.

Scope—The review will focus on:

  • The governance affecting cloud computing
  • The contractual compliance between the service provider and customer
  • Control issues specific to cloud computing

IT audit and assurance professionals are expected to customize this document to the environment in which they are performing an assurance process. This document is to be used as a review tool and starting point. It may be modified by the IT audit and assurance professional; it is not intended to be a checklist or questionnaire. It is assumed that the IT audit and assurance professional holds the Certified Information Systems Auditor (CISA) designation, or has the necessary subject matter expertise required to conduct the work and is supervised by a professional with the CISA designation and/or necessary subject matter expertise to adequately review the work performe