In cloud environments, responsibility for controls is split between the provider and the customer. The division depends on the service model (IaaS, PaaS, SaaS). Misunderstanding the shared responsibility model can create gaps in control coverage, where critical risks may not be managed by either party. SLA penalties (A) are contractual issues, not audit priorities. Availability reports (B) and business process redesign (D) are relevant but not as fundamental as defining control ownership. ISACA’s cloud audit guidelines stress that proper scoping begins with understanding shared responsibilities to avoid assurance gaps.

References (ISACA): ISACA Cloud Computing Audit Program; ISACA Journal – Shared Responsibility in Cloud.