An employee on a coffee break loaded Facebook on his work computer. He reacted to posts, shared memes, and clicked links to read interesting stories. Unknown to him, one of the links downloaded malware to his computer, triggering his company email to send phishing-attack emails to colleagues and clients, infecting his company network, and causing a data breach.
The above example is made-up, but it could happen to you — especially if you had no robust system in place for IT standard operating procedures development to properly operationalize security standards, did not enforce security procedures, processes, and controls, and did not regularly conduct IT audits.
You risk a lot when you don’t have IT security safeguards. CISCO said as much when its 2021 cybersecurity trends report indicated that at least one person in 86% of organizations clicked on a phishing link. Meanwhile, the 2022 Deloitte Global Outsourcing Survey reported that 48% of executives felt ill-equipped to meet their cybersecurity challenges.
Minimize Technology Risks With an IT Audit
An IT audit is a systematic, detailed and comprehensive evaluation of an organization’s IT infrastructure, the hardware and software that make up the systems that facilitate data input, storage, processing, flow, and analysis. It also involves evaluating and assessing the processes, procedures, and policies that dictate how the organization and its people handle, use, manage, and ensure the integrity of its data and information technology assets.
It entails a hardware and software audit covering:
- Computers, servers, routers, mobile phones
- Communication and chatting apps
- Cloud storage service
- File-sharing apps
- Servers’ and workstations’ operating systems
- Productivity applications
- Time tracking software
- Software systems (e.g., ERP)
It reviews implementations of:
- IT standards, procedures, processes, and controls
- Documentation and information management
- Regulatory compliance (e.g., data privacy and security)
It necessitates risk management including:
- Identifying IT risks
- Creating an IT risk register
- Prioritizing risks according to impact
- Recommending risk prevention and mitigation measures
Preparing for an IT Audit: Best Practices
If you have an upcoming IT audit, follow these best practices for audit efficiency. Use the following as a pre-IT audit checklist.
1. Put Someone in Charge.
Who’s in charge of preparing your company for the audit? Someone well versed in your IT infrastructure is the natural choice.
This person will be your firm’s point person before, during, and after the audit. He will liaise with your consultants and discuss the audit scope and objectives. He will also coordinate with them to ensure they have all the information they need and the audit is progressing as intended and will be completed on schedule.
Furthermore, the person-in-charge will be responsible for keeping the company’s stakeholders updated on the audit progress, collecting information and documents from employees, and — after the audit — receiving (and probably reviewing and acting on) the IT audit report.
2. Determine Your IT Audit Category.
IT audits have a broad scope. Talk to your IT auditor, so you can define the bounds of the audit and limit its coverage.
The following are the five categories of IT audits:
- Systems and Applications Audit: This is an audit of an organization’s systems and applications to verify their suitability, efficiency, and security.
- Information Processing Facilities Audit: This entails auditing all in-house and third-party data processing facilities’ infrastructure, systems, and applications to ensure accurate and timely data processing in normal and disruptive conditions.
- Systems Development Audit: This is an audit of systems under development to ensure they remain compliant with standards and aligned with business goals and requirements.
- IT and Enterprise Architecture Management Audit: This assesses the organization’s IT and enterprise architecture for efficiency and effectiveness. It also evaluates the suitability of the organization’s IT best practices framework.
- Client/Server, Telecommunications, Intranets, and Extranets Audit: This is an audit of the controls and measures that govern the operations of the organization’s servers, client devices (i.e., computers and other devices), and networks.
3. Review the Standard or Framework for Assessment.
An IT audit assesses the organization’s IT infrastructure and controls against recognized and established standards. These provide a framework for a systematic evaluation, ensuring adherence to IT audit best practices, criteria, and principles and, subsequently, a quality and effective audit that provides value to the organization.
Preparing for your audit necessitates knowing which standards you’ll be evaluated against and reviewing them. This step will clarify the IT audit process. It will tell you which systems, procedures, and policies will be audited and which documents and information you must prepare for your consultants.
The following are a few of the popular frameworks IT auditors use:
- ISO/IEC 27001: This standard from the International Organization for Standardization or ISO and the International Electrotechnical Commission or IEC outlines information security management system (ISMS) requirements.
- ISO/IEC 38500: This standard provides guidelines for optimal IT governance.
- NIST Cybersecurity Framework: This framework from the National Institute of Standards and Technology (by the U.S. Department of Commerce) outlines the best practices businesses can follow to manage, prevent, and mitigate their cybersecurity risks and safeguard their network and data.
- ITIL: This framework, which stands for Information Technology Infrastructure Library, is for evaluating an organization’s IT service lifecycle and standardizing IT service management processes.
4. Get a Requirements Checklist From Your Consultants.
It’s a good idea to talk to your consultants and obtain a checklist of the documents and information they need you to prepare for their review.
Indeed, the previous step has familiarized you with the standards against which your organization will be evaluated. However, this step will give you a specific list of information, data, and documents you must prepare before the audit starts.
5. Gather and Prepare All IT Audit Requirements
After appointing an internal liaison, establishing the type and scope of the audit, reviewing the standard your external consultants will use, and obtaining a list of the information and documents your consultants need, prepare all IT audit requirements.
Recording your processes, collecting relevant data, and compiling the necessary documents before the audit commences will save you time and ensure a successful outcome. You can do the following:
List Your IT Assets
Identify and track down all hardware, software, and systems that make up or have access to your IT infrastructure.
Record Your IT Controls
What controls does your organization have or practice to secure your data and IT assets? Create a list of these, classified according to the following categories:
- Application access
- Client management
- Data protection
- Database access
- Disaster recovery
- Incident management
- IT asset management
- Network access
- Operating system access
- Physical security
- Software development
- User awareness
- Vendor management
Compile the Required Documents, Processes, and Procedures
The framework or standard against which your organization will be audited and the checklist you obtained from your consultants will tell you exactly which documents you must prepare. They will also tell you which processes, procedures, and policies you must compile for the audit.
6. Agree on a Schedule
Once you have all the IT audit requirements ready, your company’s point person can discuss the audit schedule with your IT audit consultants. When will it start, which employees will they need to talk to, when do they need these employees, when do they require which documents, and when will they review which processes?
Talk to your consultants to agree on a workflow and schedule that works for them and for your organization.
IT Audit Best Practices for Doing IT Right
Technology can make organizations more efficient and productive. However, the applications and systems you install, the devices you allow to communicate with your networks and servers, and the users you allow to access your data represent security and privacy risks. Additionally, not all technologies are aligned with your business needs.
This is why you need an IT audit. It will help you safeguard your data and IT assets and optimize your IT infrastructure according to your goals.
Affility Consulting is a business consulting company that offers technology solutions, including ERP consulting IT project advisory, and IT audit. Contact us for more information on our IT audit services.