Comparative Analysis of Cloud Audit Programs: AWS, Azure, GCP, and COBIT 2019 Integration

Cloud computing has rapidly established itself as the prevailing model for enterprise IT, with major providers such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) leading global adoption. The cloud promises scalability, flexibility, and cost efficiency, but it also creates complex governance, risk, and compliance challenges due to shared infrastructure, multi-tenancy, and interdependent service layers. To guide assurance efforts, ISACA has issued dedicated audit frameworks: the AWS Audit Program (2019), the Azure Audit Program (2020), the GCP Audit Program (2023), and a broader Cloud Computing Audit Program (2016). These programs structure risk assessment and testing across domains such as governance, identity and access management, incident response, configuration management, logging, and business continuity. To integrate these audit practices with enterprise-level governance, the study employs the COBIT 2019 framework, ISACA’s globally recognized model for governing and managing information and technology. COBIT 2019 provides structured objectives and processes across governance, planning, implementation, service delivery, and monitoring that link IT controls directly to business goals, risk optimization, and value delivery. This study undertakes a comparative review of the cloud audit programs, aligning their focus areas with COBIT 2019’s governance and management objectives. The findings highlight distinct emphases: AWS concentrates on configuration and misconfiguration risks, Azure underscores continuity, shared responsibility, and service reliability, GCP emphasizes hierarchical structure, identity, and permission inheritance, and the general cloud computing program provides a broad governance foundation applicable across providers. Comparative analysis shows Azure exhibits the closest alignment with COBIT 2019, while AWS and GCP reveal gaps in governance integration. To address these gaps, the study proposes harmonization strategies involving cyber-risk quantification, structured risk registers, and continuous auditing. By linking technical audit domains to COBIT 2019’s governance objectives, the study reframes cloud audits from static, checklist-based exercises into dynamic governance mechanisms that foster compliance, risk optimization, and digital trust.