Key Points
- Cloud providers process transactions outside the entity's physical control, which shifts audit evidence from internal systems to third-party service organisation reports.
- The auditor must understand exactly which services the cloud provider performs before assessing whether related controls are operating effectively.
- A single cloud-hosted ERP can process 100% of an entity's revenue transactions, making the provider's controls as relevant as the entity's own.
- Failure to assess cloud-related IT risks can result in undetected control deficiencies that affect the reliability of automated journal entries and revenue calculations.
What is Cloud Computing Audit Risks?
When a client migrates financially significant processes to cloud infrastructure, the auditor's risk assessment changes in two ways. First, ISA 315.26(a) requires the auditor to identify the IT applications and other aspects of the IT environment that are relevant to the financial statements, including those hosted externally. Second, ISA 402.7 treats the cloud provider as a service organisation whenever it processes transactions (or holds data) that affect financial reporting assertions.
The practical consequence is that the engagement team cannot simply test the client's own controls if those controls depend on the cloud provider's infrastructure. A cloud-hosted ERP system means that access management and change management sit with the provider, not with the entity's own IT team. ISA 402.9 requires the auditor to obtain an understanding of the nature and significance of these services. If the provider supplies an ISAE 3402 Type II report, the auditor evaluates whether the report covers the relevant period and the controls tested are those on which the entity relies. If no report exists, ISA 402.12 requires the auditor to perform alternative procedures, which may include contacting the provider directly or testing the entity's complementary user entity controls.
Worked example
Client: Spanish wholesale distribution company, FY2025, revenue EUR 34M, IFRS reporter. Fernandez migrated its ERP (including accounts receivable, inventory, general ledger, and fixed-asset modules) to a cloud-hosted platform in January 2025. The company also uses a separate cloud-based payroll service for its 280 employees.
Step 1 — Identify cloud-dependent processes
The engagement team maps Fernandez's IT environment per ISA 315.25–26. The ERP handles order-to-cash (EUR 34M revenue) and procurement-to-pay (EUR 21M cost of goods sold), plus the financial close process and fixed-asset register. Payroll processing (annual cost EUR 4.8M) runs on a separate cloud platform. Both applications generate automated journal entries directly into the general ledger.
Documentation note: record each cloud service provider, the financial reporting processes hosted externally, the volume of transactions processed, and the automated controls that depend on the provider's infrastructure. Cross-reference to the risk assessment working paper.
Step 2 — Assess service organisation reports
The ERP provider supplies an ISAE 3402 Type II report covering 1 January to 31 December 2025. The report tests 14 IT general controls, covering logical access, change management, data backup, and incident response. The payroll provider does not produce any service organisation report.
Documentation note: document the evaluation of the ISAE 3402 report per ISA 402.14–15. Record the report period, the controls tested, any exceptions noted by the service auditor, and the assessment of whether the tested controls are those on which Fernandez relies. For the payroll provider, note the absence of a report and the alternative procedures planned.
Step 3 — Test complementary user entity controls
For the ERP, the ISAE 3402 report lists four complementary user entity controls (CUECs), including quarterly access reviews and segregation of duties in the approval workflow. The engagement team tests these at Fernandez. For payroll, the team designs alternative procedures: reconciling monthly payroll output to bank statements (12 months, total EUR 4.8M) and testing a sample of 25 employee master data changes against HR authorisation records. The team also verifies the payroll provider's data transmission logs for completeness and reconciles the provider's year-end payroll summary to the general ledger payroll accrual.
Documentation note: record the testing of each CUEC with specific sample sizes, populations, and results. For the payroll alternative procedures, document why each procedure addresses the specific risk that the absence of a service organisation report creates.
Step 4 — Evaluate identified risks and respond
The team identifies two risks. The ISAE 3402 report disclosed one exception in the ERP provider's change management control (an emergency patch deployed without documented approval in March 2025). The team assesses whether the exception affected any application changes relevant to Fernandez's financial reporting during that period. For payroll, the absence of a service organisation report means the team cannot rely on the provider's internal controls and must obtain all assurance from the entity's own controls and the alternative procedures.
Documentation note: for the change management exception, record the nature of the emergency patch, the affected system component, the period of exposure, and the conclusion on whether the exception creates a risk of material misstatement. Link the conclusion to the overall risk assessment under ISA 315.32.
Conclusion: the cloud computing risk assessment produced a documented trail covering both service organisations, with reliance placed on the ISAE 3402 report (subject to the one exception being evaluated) for the ERP and substantive alternative procedures substituted for the payroll platform, defensible because each risk was identified and assessed at the individual service level with a documented response.
Why it matters in practice
- Teams frequently treat a cloud provider's ISAE 3402 report as blanket assurance without checking whether the controls tested in the report are the specific controls on which the entity relies. ISA 402.14 requires the auditor to determine whether the Type II report provides sufficient appropriate audit evidence about the operating effectiveness of relevant controls. A report that tests data centre physical access but omits application-level change management does not cover the risk that matters.
- Complementary user entity controls listed in an ISAE 3402 report are routinely ignored. The service auditor's opinion assumes the user entity operates these controls effectively. When the entity fails to perform quarterly access reviews or segregation of duties checks, the control environment on which the auditor relies has a gap that the service organisation report does not fill. ISA 402.16 places the responsibility for evaluating CUECs on the entity's auditor.
Cloud computing audit risks vs. traditional IT audit risks
| Dimension | Cloud computing risks | Traditional on-premise IT risks |
|---|---|---|
| Control location | Controls reside with the cloud provider, outside the entity's direct governance | Controls reside within the entity's own IT department |
| Evidence source | ISAE 3402 or SOC reports from the provider, supplemented by CUEC testing at the entity | Direct testing of the entity's IT general controls by the engagement team |
| Access for testing | Provider may restrict auditor access; contractual audit rights vary | Auditor has direct access to servers, configurations, and logs |
| Change management | Provider deploys updates on its own schedule; the entity may not control or even know about changes | Entity controls the timing and approval of all system changes |
| Data segregation risk | Multi-tenant environments create a risk that data from other clients could affect the entity's environment | Single-tenant by default; data segregation is not an additional risk factor |
The distinction matters because audit procedures designed for on-premise IT environments do not transfer directly to cloud-hosted systems. The entity may have strong internal policies, but if the provider's change management or access controls are weak, the entity's IT general controls environment has a gap that only the service organisation report (or alternative procedures) can address.
Related terms
Frequently asked questions
Do I need an ISAE 3402 report for every cloud provider my client uses?
Not necessarily. ISA 402.7 only applies when the cloud provider's services are relevant to financial reporting. A provider hosting the company website with no transaction-processing function would not fall within scope. Focus on providers that process transactions or operate controls on which the financial statements depend. Where no report exists, ISA 402.12 requires alternative procedures.
How do I audit cloud-hosted systems when the provider refuses direct access?
ISA 402.12 sets out alternatives when neither a Type I nor Type II report is available and the auditor cannot visit the service organisation. The auditor can test the entity's own controls over the data sent to and received from the provider, or use another auditor to perform procedures at the service organisation. A third option is to obtain information from the provider through the entity's contractual rights, though this depends on the service agreement's audit clause. Document which alternative was selected and why it provides sufficient appropriate evidence under ISA 402.12(a)–(c).
When should I involve an IT audit specialist for cloud computing risks?
ISA 220.14 requires the engagement partner to determine that the team has appropriate competence. If the entity runs financially significant applications in the cloud and the engagement team lacks experience evaluating IT general controls and service organisation reports, the partner should involve a specialist. The decision and rationale belong in the planning documentation per ISA 300.12.