Well, safely say the components such as audit objective, scope, risk, plan, methodology/approach, along with its procedures (processes and techniques), are much the same as other types of IT or IS Audit engagement.

The main thing is, in the cloud, with shared resourcing, multitenancy and geolocation, the boundaries are difficult to define and isolate meanwhile the end-user specific transactional information is difficult to obtain. As such, IT Assurance needs to become more real-time, continuous and process-oriented vs. transactional in focus, while the cloud providers need to provide greater transparency to their clients.

Objective

Organizations should strive to align their business objectives with the objectives of the audit. During the planning stage, the AUDITOR shall identify what the objectives then have them agreed with the auditee. From the auditor end, they are going to use the objectives as a way of CONCLUDING on the evidence they obtain. Some of the notable objectives are:

• Provide stakeholders with a result of the assessment on the effectiveness of cloud

computing service provider’s internal controls.

• Identify internal control deficiencies within the end user’s organization and its interface with the service provider.
• Provide stakeholders with a result of the assessment on the quality and their ability to rely upon the service provider’s attestations related to internal controls.

Above controls also includes IT application controls, not merely IT general controls that are aimed to provide assurance of specific application, its functionality and suitability.

To get an idea on the controls including their objectives on the cloud environment, have a look at ISACA Control Objectives for Information and Related Technologies (COBIT). Even though it is developed as a general control framework, some of the control objectives have some applicability to the cloud.

Scope

• The Governance that affects cloud computing
• The Contractual compliance between the user and service provider 
• Control issues and concerns specific to cloud computing

When it comes to IT general controls, the auditor from the customer’s end shall do the review on:

• Identity and Access Management (IAM)

If your IAM system is integrated with the cloud computing system

• Security Incident Management

To interface with and manage cloud computing incidents

• Network Perimeter Security 

As an access point to the internet

• Systems Development and Maintenance

If the cloud is part of your application infrastructure

• Project management
• IT Risk Management
• Data Management 
• Vendor Management 
• Vulnerability Management

It is also important to note that the controls that are maintained by a vendor are not included in the scope of a cloud computing audit.

• Methodology/Approach

It is a common practice an organization MAY use these two approaches to measure a cloud provider:

• Vendor Management

Inclusive of vendor risk assessment, vendor due diligence, vendor rating/tiering, vendor Scope of Work, vendor agreement, and vendor Service Level Agreement (SLA)

• Independent Assurance

Third-party auditor whether provided by the cloud provider or the end-user.

Procedure

Whether it’s rolled out by your internal function, the vendor’s organizational unit, or by the third party, the auditor will TURN stacks of processes and techniques to account to obtain evidence through inquiry of data and document, assessment, confirmation, recalculation, reperformance, observation, meeting, discussion, inspection, analytics, and confirmation.