Question 13
UnclassifiedTo ensure that cloud audit resources deliver the best value to the organization, the PRIMARY step would be to:
Correct answer: A
Explanation
A cloud audit plan should be based on risk because audit resources are limited and must focus on the areas with the greatest exposure. A detailed risk assessment identifies the “highest risk” cloud services, controls, and processes, allowing the audit plan to target them first and deliver the best value to the organization.
Why each option is right or wrong
A. develop a cloud audit plan on the basis of a detailed risk assessment.
Under ISACA audit planning guidance, the audit universe and annual plan are driven by risk assessment, not by available staff time alone; the plan must prioritize the highest-risk areas so limited audit resources are allocated where the potential impact is greatest. In a cloud context, this means first identifying the specific cloud services, shared-responsibility gaps, and control weaknesses with the highest likelihood and impact, then building the audit plan around those findings rather than scheduling reviews ad hoc.
B. schedule the audits and monitor the time spent on each audit.
C. train the cloud audit staff on current technology used in the organization.
D. monitor progress of audits and initiate cost control measures.