Which of the following is the BEST approach for the auditor while performing the audit for the cloud service?

A cloud service provider utilizes services of other service providers for its cloud service.

Which of the following is the BEST approach for the auditor while performing the audit for the cloud service?
A . The auditor should review the service providers’ security controls even more strictly, as they are further separated from the cloud customer.
B . The auditor should review the relationship between the cloud service provider and its service provider to help direct and estimate the level of effort and analysis the auditor should apply.
C . As the contract for the cloud service is between the cloud customer and the cloud service provider, there is no need for the auditor to review the services provided by the service providers.
D . As the relationship between the cloud service provider and its service providers is governed by separate contracts between them, there is no need for the auditor to review the services

View Answer

Answer: B

Explanation:

According to the ISACA Cloud Auditing Knowledge Certificate Study Guide, the auditor should review the relationship between the cloud service provider and its service provider to help direct and estimate the level of effort and analysis the auditor should apply1. The auditor should understand the nature and scope of the services provided by the service provider, the contractual obligations and service level agreements, the security and compliance requirements, and the monitoring and reporting mechanisms. The auditor should also assess the risks and controls associated with the service provider, and determine if additional audit procedures are needed to obtain sufficient assurance.

The other options are not the best approach for the auditor.

Option A is too strict and might not be feasible or necessary, depending on the type and level of services provided by the service provider.

Option C is too lax and might overlook significant risks and gaps in the cloud service.

Option D is too narrow and might ignore the impact of the service provider on the cloud customer’s business context.

Reference: ISACA Cloud Auditing Knowledge Certificate Study Guide, page 13-14.