Skip Ribbon Commands
Skip to main content
The Institute of Internal Auditors North AmericaBreadcrumb SeparatorLearning and EventsBreadcrumb SeparatorCoursesBreadcrumb SeparatorAuditing the Cloud
Course Description Course Outline Bring Us On Site  

Auditing the Cloud

Course Description

Print-friendly Course Description and Outline

​This course introduces the seemingly new and specific risks of the various types of cloud computing. Through reviewing recent cloud computing failures and breaches, together with a detailed discussion of traditional contract compliance issues and associated risk mitigation strategies, participants will come away with an ability to assess and prioritize risks associated with their organization’s planned or existing implementation(s) of cloud computing.

This course also emphasizes established tools and techniques to assess and prioritize these risks. Course exercises will provide attendees the opportunity to prepare an audit program specific to cloud computing for their organizations. Best practices for reporting, including use of visual models to communicate the location of data and responsibility for controls, will be featured.

Auditors and Chief Audit Executives seeking to understand the key risks and opportunities related to cloud computing should plan to attend.

IT Auditors and IT Managers are welcome to attend; however, this is a course on the contractual and management issues associated with cloud computing. This is not a technical IT Audit class.​​

Course Duration: 2 day(s)
CPEs Available: 16
Knowledge Level: Intermediate
Field of Study: Auditing
  • ​Supervisory or managerial experience is recommended.
  • Business and auditing experience, including interviewing, negotiation, and reporting skills are recommended.
  • Attendees should have a minimum of three to five years of experience, and have completed a variety of Operational and/or Financial Audits.
Advance Preparation: 

​None is required. However, attendees may benefit from building an inventory of cloud computing systems being used or proposed at their organization. Time permitting, examples from participants may be incorporated in addition to those in the materials.

Delivery Method:  

Headline Review: Recent Failures and Breaches in Cloud Computing 

  • Discuss cloud computing risks at your organization, based on examples of failures or breaches at other organizations
  • Discuss recent headlines of cloud computing failures and breaches
  • Consider the operational, financial, legal, and compliance implications of these headlines for your firm

IT Risk Assessment Frameworks

  • Explain IT risk assessment frameworks, focusing on confidentiality, integrity, and availability
  • Clarify the “new” risks of cloud computing, including security, availability, compliance, co-location (i.e., multi-tenancy), sustainability, and scalability
  • Compare these “new” risks against other known risks and controls, using existing IT and operational audit frameworks and techniques
  • Begin to develop a cloud-focused risk assessment at your firm that considers organization-specific risks and compliance requirements

Business Benefits of Cloud Computing (Why the Cloud?)

  • Compare and contrast cloud computing against more traditional IT systems and controls
  • State the business benefits of cloud computing, including efficiency, scalability, and flexibility
  • State the prevalence of cloud computing
  • Identify some of the cloud providers and distinguish between their service offerings

 Defining the Buzzwords 

  • Establish a common vocabulary for cloud computing
  • Compare public, private, and hybrid cloud computing
  • Distinguish between SaaS, IaaS, PaaS, and DaaS forms of cloud computing
  • Contrast cloud computing and virtualization

Develop a Risk-assessment Questionnaire for Your Enterprise

  • Develop a risk-assessment questionnaire to prioritize organization-specific risks associated with cloud computing
  • Prepare a cloud-focused risk assessment for your firm that considers organization-specific risks and compliance requirements
  • Execute a cloud-focused risk assessment for your firm that considers organization-specific risks and compliance requirements
  • Leverage and build on your team’s existing approach to risk assessment

Risk Responses 

  • Recommend risk response options — including risk avoidance, risk reduction, risk sharing, and risk acceptance — given specific risks of cloud computing
  • Discuss classic risk mitigation techniques as they relate to cloud computing
  • • Identify a scenario where each of these risk responses would be appropriate

Contract Compliance Fundamentals

  • Explain contract compliance fundamentals, with a focus on the kinds of terms and conditions that can be used to protect each party
  • Discuss any company-specific or industry-specific requirements that should influence an agreement with your cloud computing vendor(s)
  • Compare standard “click-through” agreements and compare/contrast with the T’s and C’s associated with other common service-level agreements

User Controls

  • Inform management regarding the importance of user controls in preparing for security breaches or outages related to the use of cloud computing services
  • Compare the responses and associated consequences for NetFlix, Reddit, Quora, and Foursquare during the Amazon EC2 cloud outage of April 2011
  • Recommend user controls that would avoid, reduce, share, or even accept the risks associated with cloud computing security breaches and outages

Recent Litigation Cases

  • Apply data points from recent cases and litigation against organization-specific risks related to cloud computing
  • Discuss recent IT litigation cases and related news events affecting cloud computing providers and their customers
  • Debate who should approve risk acceptance for cloud computing agreements at your organization

Developing Your Audit Program

  • Develop a company-specific audit program to assess and mitigate your organization’s risks of cloud computing
    • Develop a company-specific audit program based on topic areas discussed in class

o The first portion of the audit program will focus on activities to be performed prior to using any new cloud computing vendors coming into use

o The second portion of the audit program will focus on audit activities to be performed for existing cloud computing vendors

​Most courses can be delivered through on-site training. You might be surprised that the organization leading the profession is just as committed to the delivery of affordable training.

Contact us by calling +1-407-937-1388 or send an e-mail to