# Audit Responsibilities
# Internal Audit
Organizations need ongoing assurances from providers that controls are put in place or are in the process of being identified. Internal audit acts as a third line of defense after the business or IT functions and risk management functions.
- Audit can provide independent verification of the cloud program's effectiveness giving assurance to the board with regard to the cloud risk exposure.
- Internal audit can also play the role of trusted advisor and proactively work with IT and the business in identifying and addressing the risk associate with third-party providers. This allows a risk-based approach to moving systems to the cloud.
# External Audit
An external audit is typically focused on the internal controls over financial reporting. Therefore, the scope of services is usually limited to the IT and business environments that support the financial health of an organization and in most cases doesn't provide specific assurance on cloud risks other than vendor risk considerations on the financial health of the CSP.