Establish, document, approve, communicate, apply, evaluate and maintain audit and assurance policies and procedures and standards. Review and update the policies and procedures at least annually.
Both the cloud service provider (CSP) and cloud service customer (CSC) should develop a "customized integrated framework" of audit and assurance policies and procedures. This framework should incorporate/demonstrate compliance to leading industry standards and self-imposed business requirements while providing appropriate coverage of controls to assess the respective cloud environment and corresponding services. At a minimum, audit and assurance policies and procedures should include:
- Audit and assurance functions indicating purposes, responsibilities, authorities, and
accountabilities to ensure organizational independence, professional care, audit objectivity, and proficiency,
- Audit and assurance plans,
- Audit development policies and procedures to determine criteria and assertions against which
the subject matter will be assessed, quality assurance and supervision, sufficient and appropriate evidence, in accordance with commonly accepted frameworks and audit best practices,
- Audit reporting to communicate audit results and findings,
- Follow-up activities to monitor audit findings implementation progress
- Examine policy and procedures to confirm content adequacy in terms of purpose, authority and accountability, responsibilities, planning, communication, reporting, and follow-up.
- Examine audit charter and determine if independence, impartiality, and objectivity are guaranteed.
- Examine policy and procedures for evidence of review at least annually.
[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]
Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.