Certificate of Cloud Auditing Knowledge (CCAK) — Question 212

Who is responsible for identifying and assessing the risk associated with using cloud services?

Answer options

• A. The external auditor
• B. The client organization
• C. The cloud service provider
• D. The cloud service provider’s suppliers

Correct answer: B

Explanation

The client organization is responsible for identifying and assessing risks because they are the ones using the cloud services and must understand the implications of that usage. While the cloud service provider and their suppliers have a role in managing security, the ultimate responsibility for risk assessment lies with the client organization. The external auditor's role is typically to evaluate compliance and controls, not to assess risk directly.