From a systems development life cycle perspective, where a Software as a Service (SaaS) provider follows a DevOps approach, it is MOST beneficial for continuous auditing controls to be:
CCAK Study Guide. Page 320.
6.8.2 Continuous Auditing and Continuous Assurance
"...Depending on the level of assurance the organization would need to obtain from its CSP and the level it would need to provide to its shareholders, customer and regulators, the assessors should focus on understanding the following:
(...)
if the organization follows a DevOps approach, are the controls natively designed into the software?.
CCAK P# 321 Depending on the level of assurance the organization would need to obtain from its CSP and the level it would need to provide to its shareholders, customer and regulators, the assessors should focus on understanding the following:
• Whether the frequency of the control evaluation is aligned with the level of assurance required
• Whether the controls are designed to meet the requested testing and evaluation frequency (e.g., if the organization follows a DevOps approach, are the controls natively designed into the software?)
• Whether the source of evidence allows for continuous auditing (Are logs and feeds available with the level of details and frequency required? Are the logging and monitoring capabilities natively provided by the CSP sufficient, or do external tools need to be integrated? Is the reporting from the CSP, e.g., incident reporting, aligned with the organization’s compliance needs?)
upvoted 2 times
...
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
339dfab
1 month agosai_murthy
9 months ago