Certificate of Cloud Auditing Knowledge (CCAK) — Question 247

For an auditor auditing an organization’s cloud resources, which of the following should be of GREATEST concern?

Answer options

• A. The organization does not have separate policies for governing its cloud environment.
• B. The organization’s IT team does not include resources with cloud certifications.
• C. The organization does not perform periodic reviews or control monitoring for its cloud environment, but it has a documented audit plan and performs an audit for its cloud environment every alternate year.
• D. The risk management team reports to the head of audit.

Correct answer: C

Explanation

The correct answer is C because failing to perform regular reviews or control monitoring poses significant risks to the cloud environment's security and compliance. While having a documented audit plan is important, it does not compensate for the lack of periodic reviews. Options A, B, and D, while relevant, do not present as immediate a concern as the lack of ongoing monitoring and reviews.