The requirement for cloud security audits for applications and infrastructure running within cloud environments has, at this point, become second nature to the industry. It is often a milestone needed to raise funding or in the expansion of clients. This article will define cloud compliance audits, outline the objectives and scope of a cloud audit, explain cloud compliance, and outline the steps to expect in a cloud audit.
Why Are Cloud Security Audits Important?
There are two important outcomes that make cloud security audits worth the investment: funding and users. These days, raising funding often requires the completion of a cloud audit before investors will look at an organization for seed money or as part of an acquisition. The other major reason is to expand its client base. Since cloud security audits have become the baseline for expansion, it has become an unwritten step in the quest for additional clients. But there are other reasons compliance is important that are often overlooked, as it’s not so obvious, and that is consistency.
Consistency isn’t cool, especially in the tech world, but it’s the unspoken outcome of compliance. To be clear, consistency doesn’t mean rigid; it just means repeatable. This can be frustrating for companies, which is why there is often back and forth between auditors and auditees. Auditees want black and white in terms of requirements, but compliance is meant to be agile. It’s meant to allow the organization to function within a framework without following the same recipe, just like the business itself. In the right organization, compliance should be viewed as part of its secret sauce. It can make an organization unique and function better, all while having consistency to address control requirements.
When Cloud Compliance Becomes a Lifeline: A Real-World Example
Imagine the following scenario: A company, let’s call it LoopThread, created a SaaS that focuses on creating community connections. The SaaS was growing rapidly and, as part of that growth, was collecting tons of information about communities and their members. Well, one day, the team decided that coding no longer needed to go through certain testing, and certain approvals were no longer required due to new technology on the market. As part of that transition, a vulnerability that normally would have been identified through testing was not caught, and as a result, allowed for the data to be available to the public. Sadly, the vulnerability was discovered, and data maintained as part of the normal business services to help aid community connections had been exposed to the internet. After this, LoopThread never recovered, and its expansion in the industry was interrupted.
Why bring this scenario up? Because this happens every day, compliance could have helped mitigate the risk of this occurring. Compliance forces new processes to be looked at through the risk lens. Additionally, a cloud security compliance audit would have forced LoopThread to justify why the new technology would be appropriate to replace testing and approvals. Sample questions could include:
- How does the new technology handle edge cases?
- Where is the proof that it catches 100% of vulnerabilities?
- What is the fallback if the technology fails?
As an audit firm, the goal is to never stop a company from adopting new technologies that aid in scaling. Our goal is to make sure compliance requirements are still being met in the quest to become a more streamlined company. We always want success in a safe and compliant manner. Even our mock company, LoopThread.
What Are Cloud Security Auditing & Cloud Compliance Audits in Cloud Computing?
Cloud computing is best defined by the National Institute of Standards and Technology (NIST). NIST is a portion of the U.S. Department of Commerce with the mission of encouraging innovation through science, technology, and standards – including cloud computing. According to NIST, “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.”
This definition was created to set a baseline for the discussion around cloud computing. As defined, cloud computing includes the following:
- Five Essential Characteristics: On-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service.
- Three Service Models: Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and infrastructure-as-a-Service (Iaas).
- Four Deployment Models: Private cloud, community cloud, public cloud, and hybrid cloud.
The different characteristics, service models, and deployment models can be shaped and morphed into different resources depending on the needs of the organization.
Cloud Compliance Audits
During a cloud compliance audit, a third-party independent group is engaged to obtain evidence through inquiry, physical inspection, observation, confirmation, analytics procedures, and/or re-performance.
In a cloud computing audit, a variation of these steps is completed in order to form an opinion over the design and operational effectiveness of controls identified in the following areas. Cloud Security Audits can come in multiple forms depending on the users of the tool. Different types of cloud security audits include: SOC 1 and SOC 2, ISO 27001, HIPAA Attestation, HITRUST, CMMC, and FedRAMP. Most companies in the United States tend to lean toward the SOC 1 or SOC 2, while companies in other parts of the world often expect ISO 27001. Organizations that manage Electronic Protected Health Information are often expected to receive either a HIPAA Attestation or HITRUST certificate. For CMMC, tools manage Controlled Unclassified Information (CUI), and for FedRAMP, federal data is maintained within the tool. Oftentimes, the requirement of which audit makes the most sense is communicated within the contract or request for information. Below are types of information reviewed as part of the audit, and while all frameworks are slightly different, they often have overlap.
- Communication: Communication can include how policies are communicated to the organization. Are they reviewed and approved at least annually, and are security roles and responsibilities detailed and communicated to the organization?
- Security Incidents: An organization should have a process that assists the organization in determining what a security incident is and when to enact the incident response plan. Further incidents should have a designated place where they are captured and managed. Finally, if needed, the communication of security incidents should be defined, and the responsibility for the communication should be clear.
- Network Security: Boundaries of the network and production environment should be defined and documented. This allows the organization to implement access controls where needed so that protections can be put into place to protect access to the network. Additionally, protections inside the network should be set up to maintain least privilege to data based on business needs.
- System Development or Change Management: Changes to the application or infrastructure should follow a defined process and be documented so that, in the event an unauthorized change is made or a change doesn’t function as intended, it can be reviewed and fixed in a timely manner that has the least amount of impact on production as possible.
- Risk Management: Organizations should have an understanding of how the world could impact their services. Risks can come externally through vulnerabilities, regulations, or technologies, or internally from people. The best way to manage risks is through understanding how they can impact the organization and how that risk can be mitigated through controls.
- Data Management: Classification of data is key to the protection of data. This is especially key for those who manage a type of data that is protected by regulatory agencies, such as HIPAA data or CUI. These data types have special requirements that should be understood, and protections should be put into place, such as encryption. Finally, a data flow diagram documenting where this information exists and how it’s protected.
- Vulnerability and Remediation Management: External and internal vulnerability scans and penetration testing should be implemented to aid in the identification of vulnerabilities. Further, a process to track remediation of the vulnerabilities should be put into place.
- Tone at the Top or Leadership’s Commitment to Transparency and Ethical Behavior: Security of information starts at the top. If the top of the organization doesn’t take time to invest in the security of information and all the controls (mentioned above), it’s much less likely that the organization itself will budget and promote a more secure environment, both at the people level and at the technology level.
Is Cloud Security Different from Cybersecurity?
The short answer to this is no. Both are words that can be used synonymously. They both focus on the protection of data through the use of authentication protection, access controls, protection of data, etc.
How Do You Achieve Cloud Compliance?
While a great question, the achievement of cloud compliance is not a simple answer. Why, you may ask? Because it is possible to be compliant today and out of compliance tomorrow. However, the best way to demonstrate to users that cloud compliance has been achieved is to, first, set a goal of what that means and, second, engage a third party to validate that controls were designed, implemented, and operated consistently over time. Goals in this instance are generally whether or not a company complies with certain criteria or frameworks. Once the scope of the cloud computing audit has been established, execution can commence.
During the planning and execution stages of a cloud security and compliance audit, it is important to have a clear understanding of what the objectives of the audit include, as noted above. Companies should strive to align their business objectives with the objectives of the audit. This will validate that the time and resources spent will help achieve a strong internal control environment and lower the risk of a qualified opinion.
There have, however, been advancements in managing continuous compliance. Many tools have been put to market in the last few years which allows its customers to define controls that are set to alert if the organization goes out of compliance. Additionally, they often have agents that run in the background and give insight into the footprint of the environment. I suspect these tools will only get better with time, but they do currently have some challenges. The controls in place are often boilerplate and do not always provide full context into the system and other systems that could impact services. Additionally, audit readiness is set by the organization when a control is not automated, which can oftentimes lead the organization to miss gaps. I think the key is to understand that these tools are one way to lower the risk of being out of compliance, but having strong processes in place that aid in consistency is going to be what sets an organization apart in terms of audit success.
Cloud Audit Objectives
Auditors use objectives as a way of concluding the evidence they obtain. Below is a sample list of cloud computing objectives that can be used by auditors and businesses alike.
- Define a Strategic IT Plan: The use of IT resources should align with the company’s business strategies. When defining this objective, some key considerations should include whether IT investments are supported by a strong business case and what education will be required during the rollout of new IT investments.
- Define the Information Architecture: The information architecture includes the network, systems, and security requirements needed to safeguard the integrity and security of information. Whether the information is at rest, in transit, or being processed.
- Define the IT Processes, Organization, and Relationships: Creating processes that are documented, standardized, and repeatable creates a more stable IT environment. Businesses should focus on creating policies and procedures that include organization structure, roles and responsibilities, system ownership, risk management, information security, segregation of duties, change management, incident management, and disaster recovery.
- Communicate Management Aims and Direction: Management should make sure its policies, mission, and objectives are communicated across the organization.
- Assess and Manage IT Risks: Management should document those risks that could affect the objectives of the company. These could include security vulnerabilities, laws and regulations, access to customers or other sensitive information, etc.
- Identify Vendor Management Security Controls: As companies are relying on other vendors, such as AWS to host their infrastructure or ADP for payroll processing, companies need to identify those risks that could affect the reliability, accuracy, and safety of sensitive information.
What Are the 4 As in Cloud Auditing?
The four “A’s” in cloud auditing are as follows: Authentication, Authorization, Accounting (or Account Management), and Auditability. While the four A’s of cloud auditing were not created by a governing body, they identify key requirements that a cloud service provider needs to consider within the tool. Below is a breakdown of each.
Authentication
How does a user authenticate or log in to the tool? Does the tool allow for each user to have a unique login and password so that the individual can authenticate as a unique user of the tool? Further, does authentication require a strong, complex password so that the password is not easily guessed? Finally, does the tool allow for multifactor authentication? All of these considerations are key to help lower the risk of identity theft or successful brute force attacks.
Authorization
Once inside the tool, is logic applied so that only certain individuals have access to the information that they are required to access as part of their role and responsibilities? Can only certain individuals have administrative access, which allows for access to all data? Are other roles identified that restrict access that is not required?
Account Management
Is access to the tool and data tracked through logging? The tool should track who is doing what. For example, did John Smith access ePHI and modify that information? Or did the tool track if there was an error with authentication? Information on who authenticates and what they do within the system should be logged. This allows the system administrator to understand resource needs and performance issues that may occur.
Auditability
Auditability allows for the review of events and forensic research as needed. Will certain events trigger an alert so that if an individual authenticates in the middle of the night, an alert is triggered so that it can be reviewed to validate that it was, in fact, the correct user or that there is a reasonable explanation? These can identify certain events that need to be followed up on, and with the introduction of machine learning and AI, environments are starting to be able to understand a user’s normal pattern of use so that it’s possible to pinpoint something out of the ordinary. Additionally, how long are logs maintained? In some cases, they are required to be maintained for a certain length of time, but in general, they should be maintained for a year for auditing purposes.
What Is the Responsibility of a Cloud Compliance Auditor?
The role of an auditor is to provide an objective opinion based on facts and evidence that a company has controls in place to meet a certain objective, criteria, or requirement. Additionally, in many cases, the auditor will also provide an opinion on whether or not those controls operated over a period of time. Auditing the cloud for compliance is no different. In instances where the audit requires cloud compliance to satisfy the criteria, the auditor will ask for evidence that controls are enabled (i.e., security groups, encryption, etc). This will allow the cloud auditor to provide an opinion of whether controls were in place and, as applicable, if they operated over a period of time.
What Factors Should be Included as Part of Your Cloud Audit Checklist?
As mentioned before, auditors rely on different types of procedures such as inquiry, physical inspection, observation, confirmation, analytics procedures, and/or re-performance to collect evidence. These test procedures will be used in combination to obtain evidence to provide an opinion on the service being audited. While a checklist for an audit doesn’t really exist, as every environment is a little different, below are example tests performed for each of the IT general control areas identified above. Note that this is not an all-inclusive list.
| Control Area | Procedures | Common Exceptions |
|---|---|---|
| Organization and Administration |
|
A lack of consistency turns up exceptions in these sections. For example, if background checks are required to be completed prior to access to production, but there was a change in personnel or tooling that will oftentimes turn up a background check that was completed months later, after the exception was identified. Preparing for a change in process is key in these cases. Whenever a key stakeholder of a process or tool is complete, a review with the auditor can help validate that there are no interruptions that could result in an exception. |
| Communication |
|
Generally, employees and contractors are required to complete annual security awareness training, but only the employees complete the training. Defining when both employees and contractors are within the scope of a control is key. If a contractor has access similar to an employee, they should be held to the same controls as employees unless a third party is taking on that responsibility. In that case, the requirement of the third party, such as providing annual security training, should be defined within an agreement that can be reviewed by the auditor. |
| Risk Assessment |
|
Risk assessment should be reviewed at least once each year and should include different representatives throughout the organization. Additionally, risks that arise from third-party vendors should be included as part of the review. While there aren’t often exceptions noted within the risk assessment areas, they can arise if the third-party vendor is not included as part of the review. |
| Monitoring Activities |
|
Scanning for vulnerabilities is required to be done at certain cadences. If they are not being completed during those cadences or evidence to show that patching is not completed, exceptions around vulnerability management may arise. Defining when vulnerability scans occur and the process to remediate those vulnerabilities should be documented and validated throughout the year. This will lower the risk of an exception that vulnerability management is not occurring as required. |
| Logical and Physical Access |
|
Removal of access in a timely manner is the number one exception in the logical access section. A process to document that access is revoked at the time of termination is key. Additionally, logs showing when access is revoked should be reviewed to validate that, if documentation was not done correctly, they can be reviewed after the fact. |
| Systems Operations |
|
Systems should be monitored for system performance and errors, and alert when certain events such as latency, outages, or suspicious activity are identified. Once identified, it should be clear that the appropriate team is reviewing and following up on those alerts, or an exception could be noted. Finally, if an event ends up in an incident, that incident should be documented with the root cause, timeline to resolution, summary of the incident, lessons learned, and communication of the incident, if applicable. If an incident occurs and there is no documentation to support the incident, an exception is generally noted. |
| Change Management |
|
Changes should follow a standard process to document, approve, test, and merge changes into production. Further, when possible, branch protections should be put into place to require approval from a separate engineer, and certain tests, including security-related tests, must pass prior to being merged into production. While exceptions don’t often arise when these protections are in place, they can be bypassed, and this is when issues can arise. If branch protections are bypassed and there is no justification, an exception will be noted, and oftentimes, the opinion will be impacted. |
What Is the Role of Internal Audit in Cloud Computing?
The section above is meant to give companies an idea of what is included in an audit checklist. Having a “checklist” or program to track controls and monitor them to validate that they are in place and operating, as applicable, is the basis for an internal audit role. Depending on the maturity of an internal audit team, a cloud auditor can choose to place some reliance on evidence provided by the internal auditor. At a minimum, many compliance frameworks require that evidence be available to support an internal audit role within the organization or show that monitoring of controls is occurring. Any work done by the internal auditor should be documented so that the cloud auditor can see that monitoring has occurred.
What Is AWS Cloud Compliance? Or Any Cloud Provider, Really!
While there is no specific AWS cloud compliance, there are a number of different cloud security and compliance requirements that require the implementation of specific controls at the cloud service provider level, such as AWS, Microsoft Azure, Google, etc. That is because this is where important information is maintained. This is also true at several different platforms in use that also utilize infrastructure at these cloud providers. While these providers are required to have their own security controls in place, there are a number of controls that are the responsibility of the user to implement or enable.
Fortunately, cloud service providers such as AWS, Microsoft Azure, Google, etc., have helped their users meet security frameworks, criteria, and certifications by making it easy to enable controls that auditors will be looking for. Additionally, there is a lot of information provided by these companies within white papers so that users can gauge whether their products will meet the needs of the security requirements. Check out this related article for more specific information on AWS SOC 2 cloud compliance.
The Bottom Line: Cloud Audits Are a Business Asset, Not Just a Checkbox
Cloud computing audits have become a standard as users are realizing that risks exist since their data is being hosted by other organizations. To combat that, they are requesting different forms of cloud computing audits to gain assurance and lower the risk of their information being lost or hacked.
Cloud computing audits come in different forms, such as SOC 1 & SOC 2 reporting, HITRUST, PCI, and FedRAMP. Depending on your needs, one of these should fulfill your audit requirements. If you are interested in learning more about the many audit services provided by Linford & Co, please feel free to contact us.
For more information related to the Cloud, check out the following Linford & Co articles:
- Cloud Services Agreements – Protecting Your Hosted Environment
- Leveraging the Google Cloud SOC 2: How to Build a SOC 2 Compliant SaaS
- CSA CCM: Cloud Security Alliance Cloud Controls Matrix – Overview & CSA Offerings
This article was originally published on 11/9/2022 and was updated on 3/25/2026.
Jaclyn Finney started her career as an auditor in 2009. She started with Linford & Co., LLP. in 2016 and is a partner with the firm. She is a CISA with a special focus on SOC, HITRUST, FedRAMP and royalty examinations. Jaclyn works with her clients to provide a process that meets the needs of each customer and generates a tailored report that is useful to the client and the users of the report.