Back to all activities

Assessing Usage of Cloud Services


During the organizational assessment you will almost certainly come across 3rd party cloud-based service providers being used by the audited organization. The organization may be interested in your assessment of the security of those services. This poses several challenges to you as an auditor:

  • auditing 3rd party web applications almost certainly falls outside of the scope of the audit engagement
  • you likely do not have an agreement with the service provider to scan their application
  • a proper assessment would take more time than is available for the organizational audit
  • you may not be familiar with the service or technology it is built on Despite these challenges, significant organizational processes and sensitive data may reside on or rely upon those 3rd party applications. It can be important to the audit to provide some preliminary investigation and risk assessment into the usage of any 3rd party cloud services they rely upon.


    • Auditing 3rd party services must be negotiated directly with the service provider and adds significant complexity to the process (and would normally fall out of scope). There are often serious legal issues involved in auditing outside of a formal, signed agreement.

Walk Through

    It is increasingly difficult to run complex organizations without some reliance on cloud-based service providers such as email hosting, web hosting, or document management/backup. Organizations (and as assisted by the auditor) should review their options in the selection of cloud providers, and in parallel consider ways to apply practices and policies to their use to meet organizational security requirements.


    Schedule regular (annual?) reviews of the external services to ensure that they meet organizational requirements for functionality and security, business solvency, and exporting or transferring of data.

    When considering formalizing the use of new 3rd party services, review the questions and processes here to help guide the decision.