Certificate of Cloud Auditing Knowledge (CCAK) — Question 108

A cloud service provider utilizes services of other service providers for its cloud service. Which of the following is the BEST approach for the auditor while performing the audit for the cloud service?

Answer options

• A. The auditor should review the service providers’ security controls even more strictly, as they are further separated from the cloud customer.
• B. The auditor should review the relationship between the cloud service provider and its service provider to help direct and estimate the level of effort and analysis the auditor should apply.
• C. As the contract for the cloud service is between the cloud customer and the cloud service provider, there is no need for the auditor to review the services provided by the service providers.
• D. As the relationship between the cloud service provider and its service providers is governed by separate contracts between them, there is no need for the auditor to review the services provided by the service providers.

Correct answer: B

Explanation

The correct answer is B because understanding the relationship between the cloud service provider and its service providers helps the auditor gauge the necessary depth of the audit. The other options incorrectly suggest that the auditor can disregard the service providers' controls, which may pose risks to the cloud service customer.