Writing about Azure audit and its associated audit program is a logical follow-up to a previous ISACA Journal article I wrote on auditing Amazon web services (AWS). The Azure audit program serves as a foundational assessment template that seeks to enhance risk awareness around some of the Azure resource offerings a typical enterprise would subscribe to. As with any security, risk or governance article, there is always a need to generalize the audit topics described, as enterprise-specific implementations of a cloud service such as Azure can vary widely. I leave it to the readers to take the audit program and add on or modify as they see fit to fulfill their audit engagement or security assessment requirements.
The development process for the audit program consists of completing the Azure Fundamentals course on Microsoft Learn, performing extensive reviews of Microsoft vendor documentation to better understand functional aspects of the services included and then using that information as a basis to describe the Azure cloud platform and the functional audit steps for in-scope services. The audit program is also supported by signing up for several Azure free accounts, walking through live examples of the audit steps detailed in the audit program and completing extensive subject matter expert reviews. As with other cloud platforms such as AWS, the steps outlined in the audit program may be impacted by minor or major changes by the time you subscribe to the audit program, so if anything I hope you can use the information as a source of inspiration for any assessments you are required to complete or are planning.
Some of the audit test steps outlined in the audit program can be automated. However, automation can be prone to failure for various reasons, such as scoping issues and other problems where changes in the environment may lead to effective testing being compromised. The audit program can also be used as a routine mechanism to validate automation effectiveness and ensure automated testing mechanisms continue to operate as expected.
Editor’s note: For further insights on this topic, read Adam Kohnke’s recent Journal article, “Auditing the Cloud: Microsoft Azure,” ISACA Journal, volume 5, 2020.