# Audit Planning
# 1. Define Objectives
These high-level objectives should interpret the goals and outputs from the audit:
- Document and define the audit objectives.
- Define the audit outputs and format.
- Define the frequency and the audit focus.
- Define the required number of auditors and subject matter experts.
- Ensure alignment with internal audit and risk management processes.
# 2. Define Scope
The organization is the entity involved in defining the audit scope. The phase includes the following core steps:
- Document the core focus and boundaries of the audit.
- Define the key components of services.
- Define the cloud services to be audited.
- Define the geographic locations that are permitted and required and those that are actually being audited.
- Define the key stages to audit.
- Document the CSP contracts.
- Define the assessment criteria and metrics.
- Document final reporting dates.
# 3. Conduct Audit
When conducting an audit, keep the following issues in mind:
- Adequate staff
- Adequate tools
- Supervision of audit
# 4. Refine/Lessons Learned
Ensure that previous reviews are adequately analyzed and taken into account, with the view to streamline and obtain maximum value for future audits. To ensure that cloud services auditing is both effective and efficient, several steps should be undertaken either as a standalone activity or as part of a structured framework.
- Ensure that the approach and scope are still relevant.
- Factor in any provider changes that have occurred.
- Ensure that reporting details are sufficient to enable clear, concise, and appropriate business decisions to be made.
- Determine opportunities for reporting improvement and enhancement.
- Ensure that duplication of efforts is minimal (crossover or duplication with other audit and risk efforts).
- Make sure that audit criteria and scope are still accurate, factoring in business changes.
- Have a clear understanding of what levels of information and details can be collected using automated methods and mechanisms.
- Ensure that the right skillsets are available and utilized to provide accurate results and reporting.
- Ensure that the PDCA is also applied to the CSP auditing planning and processing.
These phases may coincide with other audit-related activities and be dependent on organizational structure. They may be structured (often influenced by compliance and regulatory requirements) or reside with a single individual (not recommended).