A&A-01: Audit and Assurance Policy and Procedures

Control Family:

Audit & Assurance

CSF v1.1 References:

Info icon.

Control is new to this version of the control set and incorporates the following items from the previous version: GRM-06: Policy, GRM-09: Policy Reviews.

Control Statement

Establish, document, approve, communicate, apply, evaluate and maintain audit and assurance policies and procedures and standards. Review and update the policies and procedures at least annually.

Implementation Guidance

Both the cloud service provider (CSP) and cloud service customer (CSC) should develop a "customized integrated framework" of audit and assurance policies and procedures. This framework should incorporate/demonstrate compliance to leading industry standards and self-imposed business requirements while providing appropriate coverage of controls to assess the respective cloud environment and corresponding services. At a minimum, audit and assurance policies and procedures should include:

  1. Audit and assurance functions indicating purposes, responsibilities, authorities, and

accountabilities to ensure organizational independence, professional care, audit objectivity, and proficiency,

  1. Audit and assurance plans,
  2. Audit development policies and procedures to determine criteria and assertions against which

the subject matter will be assessed, quality assurance and supervision, sufficient and appropriate evidence, in accordance with commonly accepted frameworks and audit best practices,

  1. Audit reporting to communicate audit results and findings,
  2. Follow-up activities to monitor audit findings implementation progress

Auditing Guidance

  1. Examine policy and procedures to confirm content adequacy in terms of purpose, authority and accountability, responsibilities, planning, communication, reporting, and follow-up.
  2. Examine audit charter and determine if independence, impartiality, and objectivity are guaranteed.
  3. Examine policy and procedures for evidence of review at least annually.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.