CSA CCAK Sample Questions & Practice Test

The Certificate of Cloud Auditing Knowledge (CCAK) focuses on cloud audit and assurance. It is useful for candidates who need cloud control objectives, evidence, risk assessment, compliance mapping, shared responsibility, and audit reporting.

Use these 12 original sample questions for initial self-assessment. They are not official Cloud Security Alliance questions and do not reproduce a live exam.

What this route should test

• cloud audit scope, control mapping, evidence reliability, and assurance boundaries
• shared responsibility, provider attestations, customer configurations, logging, and monitoring
• audit judgment rather than cloud-console trivia

Official-source check

Verify current certificate names, exam policies, and requirements with the Cloud Security Alliance education page .

Sample Exam Questions

Question 1

Topic: audit scope

What should a cloud audit scope define first?

• A. Systems, services, data, control objectives, responsibility boundaries, and evidence sources
• B. Only the auditor’s preferred tool
• C. Only provider marketing claims
• D. No boundaries because cloud is dynamic

Best answer: A

Explanation: Scope must define what is being audited, which controls matter, who owns them, and what evidence can support conclusions.

Question 2

Topic: shared responsibility evidence

Which evidence best tests a customer-owned cloud control?

• A. Provider building access procedures
• B. A cloud provider logo
• C. Customer IAM configuration, access review records, and privileged activity logs
• D. A general statement that security is important

Best answer: C

Explanation: Customer-owned controls require customer-side evidence. Provider attestations do not prove customer configuration quality.

Question 3

Topic: provider assurance

Why are provider assurance reports useful?

• A. They prove the customer has no controls to operate
• B. They help assess provider-operated controls, scope, exceptions, and complementary customer responsibilities
• C. They replace all customer audits
• D. They remove the need to read the scope

Best answer: B

Explanation: Assurance reports are useful only when the auditor understands scope, period, exceptions, and complementary controls.

Question 4

Topic: evidence reliability

Which evidence is generally strongest for testing whether logging is enabled?

• A. A verbal statement from a developer
• B. A screenshot with no timestamp
• C. A project kickoff slide
• D. API or configuration output showing log settings, retention, and destinations during the audit period

Best answer: D

Explanation: System-generated configuration evidence is stronger than informal statements when it is relevant, complete, and tied to the audit period.

Question 5

Topic: cloud inventory

Why is cloud inventory important for audit?

• A. Inventory is unrelated to audit scope
• B. Cloud resources never change
• C. Auditors need to know what resources exist, who owns them, and whether controls cover them
• D. Inventory replaces risk assessment

Best answer: C

Explanation: Dynamic cloud resources can escape control coverage if inventory and ownership are weak.

Question 6

Topic: control mapping

What does control mapping help an auditor do?

• A. Connect regulatory, framework, provider, and customer controls to specific evidence and responsibilities
• B. Avoid evidence collection
• C. Treat every control as provider-owned
• D. Remove audit objectives

Best answer: A

Explanation: Mapping clarifies which controls satisfy which requirements and who operates them.

Question 7

Topic: configuration drift

Why is configuration drift a cloud audit concern?

• A. Cloud configurations never change
• B. Drift affects only office printers
• C. Drift removes the need for monitoring
• D. Automated or manual changes can move resources away from approved baselines

Best answer: D

Explanation: Drift can weaken controls after initial approval, so audits need evidence over time.

Question 8

Topic: continuous auditing

Which cloud feature supports continuous auditing?

• A. Annual screenshots only
• B. APIs, event logs, configuration snapshots, policy evaluation, and automated evidence collection
• C. No logging
• D. Manual memory of changes

Best answer: B

Explanation: Cloud APIs and telemetry can support more continuous, evidence-driven audit approaches.

Question 9

Topic: incident evidence

During a cloud incident audit, which evidence matters most?

• A. Event logs, access records, configuration changes, incident tickets, containment actions, and lessons learned
• B. A social media post
• C. A blank policy template
• D. A team calendar only

Best answer: A

Explanation: Incident assurance needs factual records of what happened, response actions, and control improvements.

Question 10

Topic: audit finding

What makes a cloud audit finding useful?

• A. Vague criticism with no evidence
• B. A technical fix performed by the auditor
• C. Clear condition, criteria, cause, risk, evidence, and actionable recommendation
• D. A statement that all cloud is risky

Best answer: C

Explanation: Findings should be evidence-based and tied to criteria, risk, and remediation.

Question 11

Topic: data residency

What evidence helps test data-residency controls?

• A. A user’s preferred language
• B. The office address only
• C. A generic vendor brochure
• D. Region configuration, storage locations, replication settings, service constraints, and monitoring records

Best answer: D

Explanation: Data residency requires evidence about where data is stored, replicated, processed, and monitored.

Question 12

Topic: audit independence

Why should auditors avoid operating the controls they audit?

• A. It saves report writing
• B. Independence and objectivity are weakened if the auditor becomes responsible for the control
• C. It improves segregation of duties
• D. It removes management accountability

Best answer: B

Explanation: Auditors should evaluate controls without taking over management’s control responsibilities.