The shift of financial and operational workloads to cloud platforms has not eliminated IT audit obligations — it has changed where the controls live and who is responsible for them. Organisations that have moved in-scope financial systems to AWS, Azure, or GCP still need to demonstrate effective IT general controls. The methodology adapts; the obligation does not disappear.

This post explains what changes in IT audit when systems run in cloud environments, what the shared responsibility model means for controls evidence, and what auditors look for when your CDE or financial processing environment is cloud-hosted.

The Shared Responsibility Model: Where It Matters for Audit

Every major cloud provider operates on a shared responsibility model: the provider is responsible for the security of the cloud infrastructure; the customer is responsible for security in the cloud — how they configure services, manage access, and protect their data and applications.

For IT audit purposes, this model creates a clean demarcation. The cloud provider’s infrastructure controls — the physical data centre security, the hypervisor layer, the underlying network — are the provider’s responsibility, evidenced by their own compliance certifications (ISO 27001, SOC 2 Type II, PCI DSS for relevant services). Auditors do not require your organisation to evidence controls over infrastructure that is the provider’s responsibility. What they require is evidence of your controls over the layer you manage.

The controls that remain your responsibility — and therefore subject to IT audit — include: identity and access management within the cloud environment (who has access to which services, with what permissions, managed how); configuration management (how cloud services are configured, and whether configurations are controlled and reviewed); change management for infrastructure-as-code and cloud service configurations; logging and monitoring (what is logged, where logs are sent, and how they are reviewed); and data protection (encryption, backup, and retention).

Access Management in Cloud Environments

Cloud access management is different from traditional active directory access management — and the differences create audit risks that are not well-understood in organisations transitioning from on-premise environments.

Cloud IAM policies can be highly granular but are also easy to misconfigure. Overly permissive IAM policies — policies that grant broader access than the user or service requires — are common and create audit risk. Auditors will look for evidence that IAM policies follow the principle of least privilege, that policies are reviewed periodically, and that privileged access (including root account access and administrator roles in cloud environments) is tightly controlled and monitored.

Service accounts — automated identities used by applications and infrastructure services — are a particular area of focus. Cloud environments can accumulate service accounts with excessive permissions that are never reviewed because no human is directly assigned to them. For financial systems running in cloud environments, service accounts with access to financial data require the same controls attention as human privileged accounts.

Infrastructure as Code: A Change Management Challenge

Cloud environments are increasingly managed through infrastructure as code — Terraform, CloudFormation, Bicep, and similar tools. This is a significant change management challenge for IT audit. Changes to cloud infrastructure that previously required a formal change request and approval process can now be made by pushing code changes to a repository. Without controls over the CI/CD pipeline — code review requirements, approval gates, restricted deployment permissions — change management controls may not operate for cloud infrastructure changes as they do for traditional systems.

Auditors examining change management in cloud environments will look for evidence that infrastructure code changes are reviewed and approved before deployment, that deployment pipelines have appropriate access controls, and that the deployed state of cloud infrastructure is consistent with the approved configuration.

Cloud-Native Logging and Monitoring

Cloud platforms provide native logging capabilities (CloudTrail, Azure Monitor, GCP Cloud Audit Logs) that, when properly configured, provide significantly more comprehensive audit trails than equivalent on-premise environments. The challenge is configuration: logging must be enabled for the relevant services, logs must be retained for an appropriate period, and there must be a process for reviewing logs and alerting on anomalous activity.

Auditors will examine whether logging is enabled and comprehensive, whether log retention periods satisfy regulatory and audit requirements, and whether there is evidence of log review — not just log collection.

At Bitsecura, our IT audit team audits cloud environments across AWS, Azure, and GCP — assessing IAM configurations, infrastructure change controls, logging and monitoring, and the integration of cloud controls with broader ITGC frameworks. If you have moved financial or regulated workloads to the cloud and want to understand your audit readiness, reach out here.


Bitsecura provides IT audit, IT general controls review, and cybersecurity assurance services. Learn more about our IT audit services.