Given the coverage that Cloud technology is getting, it is important to consider how to approach an audit of a Cloud service or infrastructure. Many do see this as one of the top focus points for IT Audit in 2011.
At the heart I believe this should follow a similar method to auditing Outsource relationships (depending on the nature of the Cloud service of course). There are a couple of good reference points on the Web to help get started:
http://www.cloudsecurityalliance.org/topthreats.html – The CSA is a great place to start researching about Cloud technologies and threats
http://cloudaudit.org/ – Relatively new volunteer-based resource to address auditing, assurance and assertion for Cloud providers and consumers
http://searchfinancialsecurity.techtarget.com/news/article/0,289142,sid185_gci1524267,00.html – Recent article on TechTarget discussing Cloud Computing and Financial Services
It is important to know concepts and terminology right from the start. As an IT Auditor you may need to explain to business the implications of using external Cloud services. Most are immediately concerned about having their business information stored offsite in an ‘intangible’ cloud. The audit program will need to pull together various other programmes such as 3rd party management, infrastructure reviews, information security, regulatory and compliance implications.