Cloud costs are no longer a rounding error on most enterprise income statements. For technology-intensive organizations, cloud infrastructure is a primary cost of revenue line item — and primary cost of revenue items get audited. External auditors, internal audit teams, and SOX compliance programs all need to be satisfied that cloud costs are accurately recorded, appropriately attributed, and supported by adequate controls.
Most finance teams haven’t fully adapted to this reality. Cloud cost management has been treated as an engineering discipline, with finance as a downstream consumer of reports. That structure doesn’t satisfy audit requirements — and as cloud costs grow, the audit scrutiny grows with them.
What auditors actually look at
Understanding the audit requirement requires understanding what auditors are testing. For cloud costs, the primary audit objectives are:
Completeness — Have all cloud costs been captured in the financial statements? This sounds obvious but isn’t: organizations with multiple AWS accounts, Azure subscriptions, or GCP projects need a process to ensure that every account’s costs are included, that credits and refunds are properly accounted for, and that the accrual at period end captures any unbilled usage.
Accuracy — Are the amounts correct? Auditors will test the reconciliation from the cloud provider’s invoice to the amounts booked. Any methodology for splitting shared costs or attributing costs across entities needs to be documented and applied consistently.
Proper period — Are costs recorded in the correct accounting period? Cloud costs accrue through the month but final invoices arrive afterward. The accrual methodology needs to be documented and applied consistently.
Classification — Are cloud costs correctly classified in the income statement? Cost of revenue versus operating expense, capitalized versus expensed for development costs that meet GAAP criteria — these distinctions matter for margin calculations.
Authorization — Are there adequate controls over who can provision cloud resources and incur costs? This is the SOX dimension: the access controls that prevent unauthorized spend.
The documentation gap
Most organizations can produce their cloud invoices. Very few can produce documentation for the rest of the audit chain. The gaps most commonly cited by auditors:
No documented tagging taxonomy. If you use tags for cost allocation, auditors will ask for the documented taxonomy: what tags are required, what values are permitted, how enforcement is implemented. A verbal “we have a tagging policy” is not sufficient. The policy needs to exist in writing, with evidence of enforcement.
No documented shared cost allocation methodology. Shared services — networking, security tooling, support plans, shared data infrastructure — need to be allocated across business units or entities. Auditors need to see the allocation methodology documented and evidence that it’s applied consistently. Ad hoc allocation is a finding.
No formal accrual process. A cloud cost accrual that’s calculated informally using a spreadsheet is not adequate for a material line item. The process needs to be documented, the inputs need to be sourced from authoritative data, and the output needs to be reviewed and approved by someone with appropriate authority.
Weak access controls. Who has the ability to provision cloud resources? Is that access reviewed? Is there a separation of duties between the people who provision resources and the people who approve cloud spend? SOX auditors will test this.
Building an audit-ready cloud cost process
Step 1: Reconcile the invoice. Every month, reconcile the total on the AWS (or Azure, or GCP) invoice to the amounts in Cost Explorer, and document that reconciliation. This is the starting point that ties your management reporting to the billable source.
Step 2: Document your allocation methodology. Write down exactly how you allocate shared costs. Which costs are allocated? What’s the allocation basis (headcount, compute hours, revenue percentage)? Who approves the methodology? Apply it consistently and document any changes.
Step 3: Formalize the accrual. Define the accrual methodology in a written procedure: the data source, the calculation, who prepares it, who reviews it, and what the threshold is for adjusting the accrual if month-end data is significantly different from the estimate.
Step 4: Implement and document access controls. Define who can provision cloud resources. Implement IAM policies that enforce least privilege. Review access quarterly and document the review. For SOX-scoped systems, this needs to be part of the formal controls environment.
Step 5: Build the variance explanation process. For any period where cloud costs vary by more than a defined threshold (5% or a dollar amount), require a written variance explanation with supporting data. This creates the paper trail that auditors need and the internal discipline to understand cost drivers.
The access control question
One dimension of cloud cost auditability that’s often overlooked is the access control environment around the cost data itself. If the people managing cloud infrastructure can also modify the billing data, the tagging, or the cost allocation, that’s a control risk. The principle of least privilege applies to cloud cost management as much as to cloud infrastructure.
Read-only access to billing data and cost reports is the right model for finance teams. The ability to see what’s being spent, how it’s allocated, and where it’s going — without the ability to modify underlying resources or billing configurations — provides the independent view that financial controls require.
CostDefender operates exclusively with read-only cloud access, providing finance teams an independent view of cloud costs and creating the separation between infrastructure management and financial oversight that audit teams require.