Comparative Analysis of Cloud Audit Programs: AWS, Azure, GCP, and COBIT 2019 Integration

Authors

  • Yogesh S. Thanvi Senior Software Development Engineer in Test II, MA, USA

Keywords:

Cloud audit, AWS audit program, Azure audit program, GCP audit program, COBIT 2019, cloud compliance management, governance frameworks

Abstract

Cloud computing has rapidly established itself as the prevailing model for enterprise IT, with major providers such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) leading global adoption. The cloud promises scalability, flexibility, and cost efficiency, but it also creates complex governance, risk, and compliance challenges due to shared infrastructure, multi-tenancy, and interdependent service layers. To guide assurance efforts, ISACA has issued dedicated audit frameworks: the AWS Audit Program (2019), the Azure Audit Program (2020), the GCP Audit Program (2023), and a broader Cloud Computing Audit Program (2016). These programs structure risk assessment and testing across domains such as governance, identity and access management, incident response, configuration management, logging, and business continuity.
To integrate these audit practices with enterprise-level governance, the study employs the COBIT 2019 framework, ISACA’s globally recognized model for governing and managing information and technology. COBIT 2019 provides structured objectives and processes across governance, planning, implementation, service delivery, and monitoring that link IT controls directly to business goals, risk optimization, and value delivery.
This study undertakes a comparative review of the cloud audit programs, aligning their focus areas with COBIT 2019’s governance and management objectives. The findings highlight distinct emphases: AWS concentrates on configuration and misconfiguration risks, Azure underscores continuity, shared responsibility, and service reliability, GCP emphasizes hierarchical structure, identity, and permission inheritance, and the general cloud computing program provides a broad governance foundation applicable across providers. Comparative analysis shows Azure exhibits the closest alignment with COBIT 2019, while AWS and GCP reveal gaps in governance integration. To address these gaps, the study proposes harmonization strategies involving cyber-risk quantification, structured risk registers, and continuous auditing. By linking technical audit domains to COBIT 2019’s governance objectives, the study reframes cloud audits from static, checklist-based exercises into dynamic governance mechanisms that foster compliance, risk optimization, and digital trust.

References

Alhassan, I., Sammon, D., & Daly, M. (2018). Data governance activities: An analysis of the literature. Journal of Decision Systems, 27(sup1), 64–81.

Alles, M., Kogan, A., & Vasarhelyi, M. A. (2006). Continuous auditing: A new view. Audit Research Monographs, 1(1), 1–14.

Bowen, G. A. (2009). Document analysis as a qualitative research method. Qualitative Research Journal, 9(2), 27–40.

Bowers, J., & Davis, K. (2019). Trust, risk, and governance in cloud outsourcing. Computer Law & Security Review, 35(3), 1–10.

De Haes, S., Van Grembergen, W., & Debreceny, R. S. (2020). COBIT as a framework for enterprise governance of IT. Journal of Information Systems, 34(2), 67–75.

Elo, S., & Kyngäs, H. (2008). The qualitative content analysis process. Journal of Advanced Nursing, 62(1), 107–115.

Fairfield, J. (2020). Quantifying cyber risk: The role of cyber risk quantification in enterprise governance. Journal of Cybersecurity, 6(1), 1–12.

Faniyi, F., & Bahsoon, R. (2016). A systematic review of service level management in the cloud. ACM Computing Surveys, 48(3), 1–27.

Fernandez, E. B., Hashizume, K., & Washizaki, H. (2016). Cloud computing security patterns: A survey. International Journal of Cloud Computing, 5(1/2), 3–16.

Gartner. (2021). Forecast: Public Cloud Services, Worldwide, 2021–2027. Gartner Research.

Gunasekera, D., Nguyen, H., & Colman, A. (2020). Security misconfigurations in cloud computing: Risks and countermeasures. Future Generation Computer Systems, 111, 327–340.

Hashizume, K., Rosado, D. G., Fernández-Medina, E., & Fernandez, E. B. (2013). An analysis of security issues for cloud computing. Journal of Internet Services and Applications, 4(1), 1–13.

ISACA. (2016). IS Audit/Assurance Program: Cloud Computing. ISACA.

ISACA. (2019). Amazon Web Services (AWS) Audit Program. ISACA.

ISACA. (2019). COBIT 2019 Framework: Governance and Management Objectives. ISACA.

ISACA. (2020). Microsoft Azure Audit Program. ISACA.

ISACA. (2023). Google Cloud Platform (GCP) Audit Program. ISACA.

Kuhn, J. R., & Sutton, S. G. (2010). Continuous auditing in ERP system environments: The current state and future directions. Journal of Information Systems, 24(1), 91–112.

Wang, Y., Chen, X., & Liu, Y. (2019). Security misconfiguration in cloud computing: An empirical study. Computers & Security, 87, 101602.

Downloads

Published

2025-09-25

Issue

Vol. 7 No. 09 (2025): Volume 07 Issue 09

Section

Articles

License

Copyright (c) 2025 Yogesh S. Thanvi

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.