Finding Out about Cloud Security Auditing

Cloud computing, as defined by the National Institute of Standards and Technology (NIST), is “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” 

In essence, cloud computing could be described as the use of computing resources— both hardware and software—provided over a network, requiring minimal interaction between users and providers. There are three main types of cloud service

  • Infrastructure as a Service (IaaS) — the most basic category; involves renting IT infrastructure
  • Platform as a Service (PaaS) — supplies an on-demand environment for the developing, testing, delivering and managing of software applications 
  • Software as a Service (SaaS) — a method for delivering software applications over the internet, on demand and typically on a subscription basis. 

Will the cloud help auditors do their job more easily or better? The answer is – a qualified yes. While the cloud does not in itself necessarily hold the prospect of changing how we audit, it could nevertheless make auditing more centralized, easier to access across geographies and more efficient. For example, with a multi-national that operates in the cloud, whether a transaction is made in the US or in India, it will be recorded centrally in the cloud (and updated/replicated across geographic-specific systems). 

A traditional IT security audit is an examination of an IT group’s checks, balances, and controls. Auditors enumerate, evaluate, and test an organization’s systems, practices, and operations to determine whether the systems safeguard the information assets, maintain data integrity, and operate effectively to achieve the organization’s business goals or objectives. To support these objectives, IT security auditors need data from both internal and external sources.  

As we have seen, the cloud could make the retrieval of data needed for the audit faster and easier, expanding the search functionality and enhancing the precision of auditor inquiries. In combination with other new technologies such as robotic process automation (RPA), the use of the cloud could also facilitate the analysis of 100 percent of datasets. The cloud in combination with other technologies is therefore itself a driver of better audit quality. 


Ryoo, Jungwoo & Rizvi, Syed & Aiken, William & Kissell, John. (2014). Cloud Security Auditing: Challenges and Emerging Approaches. IEEE Security & Privacy. 12. 68-74. 10.1109/MSP.2013.132. https://home.kpmg/au/en/home/insights/2019/04/audit-technology-cloud.html