Certificate of Cloud Auditing Knowledge (CCAK) — Question 109

As Infrastructure as a Service (IaaS) cloud service providers often do not allow the cloud service customers to perform on-premise audits, the BEST approach for the auditor should be to:

Answer options

• A. use other sources of available data for evaluating the customer’s controls.
• B. refrain from auditing the provider’s security controls due to lack of cooperation.
• C. escalate the lack of support from the provider to the regulatory authority.
• D. recommend that the customer not use the services provided by the provider.

Correct answer: A

Explanation

The correct answer is A because auditors can leverage other data sources to evaluate controls when direct audits are not permissible. Options B and D are unproductive as they do not provide a solution for assessing security and may hinder business operations. Option C may escalate issues unnecessarily without addressing the immediate auditing needs.