Just when you thought it was safe to start your assessment of a cloud, ISACA releases yet one more methodology, which I will call the CCMAAP. The introduction on the ISACA site to CCMAAP is not very clear about how this fits with other assessment projects. It gets called a program, tool, template and road map all in the first sentence.

Objective—The cloud computing audit/assurance review will:

* Provide stakeholders with an assessment of the effectiveness of the cloud computing service provider’s internal controls and security
* Identify internal control deficiencies within the customer organization and its interface with the service provider
* Provide audit stakeholders with an assessment of the quality of and their ability to rely upon the service provider’s attestations regarding internal controls.

It looks quite useful for anyone already using COBIT or wondering how COSO works with a cloud. The first thing that jumps to my mind is that the COBIT mappings look very sparse. Page after page of audit questions have no COBIT reference. Even the CSA has only a few questions without a COBIT reference.