IT is often overlooked in audits, most commonly the only IT components reviewed are the specific applications for housing financial data and the software for reporting that data. All companies can benefit from a change in this mindset and begin to utilize regular external IT audits as a way to provide a neutral, third-party opinion about the controls and safeguards in place for the IT systems that a company relies on to conduct business
Audits can provide a variety of useful information to an organization, but most importantly they remove the risk associated with unknowns within an IT environment. Audits allow a company to say in a very certain way that their controls and safeguards meet industry standards. Regular audits ensure that each year controls and safeguards are updated to accommodate changes in the industry for standards for IT operations.
Thorough audits cover a variety of components of an IT environment, both technical and procedural. The most important part of an IT audit is not the validation of those processes, but the thorough testing of the environment to determine that everything is configured per the policies, as well as everything is configured per industry standards. The second component ensures an IT environment that can be compliant with legal requirements, and safe from the most common and expected threats.
When looking for an audit firm to complete an IT audit, here are the most common items you should ask them about how they handle, review and report on:
The technical skills and experience are the most important part of an external IT audit. The external firm should be reviewed to ensure they provide the highest quality of staff, with a diverse and relevant background to your organizations needs.
Audit Firm's Reputation
Ultimately, your company is going to rely on the reputation of the audit firm if any part of the audit ever comes into question by partner companies or other organizations. It is important to choose a firm with a solid reputation of quality work, quality reports and the willingness to follow up on questions after the audit.
Security has several angles that must be considered when choosing an external audit firm. The first is the security they will provide for your company confidential data, both data they collect while conducting an audit, while also providing confidentiality as part of the audit.
Second, the firm must provide a solid review of security within your organization as part of the audit. This audit should include reviewing physical security, security policies, off site storage, data in transit and penetration testing of the network from an internal and external perspective. All audits should cover these aspects of security at a minimum, and use them as a basis for reviewing the rest of the enterprise for compliance with industry standards around encryption, authentication, logging, monitoring, alerting and incident response.
A complete audit will include a thorough review of all controls around access of data, change management, upgrades and staff responsibilities.
Controls include all aspects of change management. Ensuring that a proper plan is in place to approve, and track changes will ensure that consequences are fully planned and recovery plans are in place prior to upgrades, changes or migrations. Outside audit firms can provide experienced third-party recommendations about the level of process and it's adequacy within your organization.
Controls also include staff responsibilities and how responsibilities are delegated and enforced through both process and technical safeguards. An experienced audit firm will review these for accuracy as well as implementation details to ensure controls work as designed and are implemented where necessary.
As part of the controls review, an experienced audit firm will document controls that are needed, but not currently in place. The recommendations come from experience in the industry, as well as solid knowledge of compliance regulations.
An important part of all technical audits is a review of staff skills sets. Most external audit firms will do a review of current staff and their skill sets, this information will then be used when reviewing recommendations for additional technologies or controls within the organization. It is important that all suggested changes include a required list of skills so that your organization can properly train and equip your staff to implement an outside firms suggestions.
Often times, a companies culture is the reason for non-compliance with accepted industry standards, particularly in IT. External IT audits provide your company an opportunity to have external, experienced professionals observe how your staff operate. The external perspective is often very useful in isolating unanticipated challenges that may come because of a specific culture within your company.
External audits should include a detailed review of how data within your organization is categorized, and subsequently protected from loss and disclosure. This review will be both technical and procedural to ensure that gaps are not present in the current solutions. This portion of the audit should include not only how data is managed on a daily basis within your company, but should also include how data is backed up, replicated and protected from loss in the event of a serious facility failure or loss.
Legal and Compliance
This is often the most difficult portion of an audit because of the highly specialized skills needed to complete a compliance review. Reputable audit firms will be able to provide the necessary legal knowledge as part of the audit to ensure that policies are in accordance with legal requirements. These regulatory requirements are most common in financial services and health care industries.
All findings from an IT audit will have specific costs associated with them. These costs could include both the cost to fix the problem with additional training, hardware or software; as well as the potential cost to the company if the problem is not corrected. Audit firms should be able to work with your organization to determine and document these costs for use in determining a remediation plan and prioritizing the findings from the audit.
Most IT audits will include penetration testing of your organizations network, applications, servers and data storage facilities. This is an important part of all audits because it tests the active controls in place, as well as allows for the locating of additional controls that are needed. It is important to find an audit firm with experience with these types of audits; this experience will both increase the potential for findings, as well as limit the chances for adverse consequences during the testing process.
In a perfect world, an external IT audit will cover an entire company, not just specific departments. This provides the most thorough results because an external entity is reviewing all departments and organizations in a consistent manner and providing documentation to senior management of how the various organizations interact and affect one another. Often times companies will do focused audits, only looking at a specific department or subset of the IT infrastructure. While these can yield important information, they should be used with caution because they will potentially miss other important areas for improvement.
Finally, be open minded at the end of any audit when reviewing the results from the external firm. It is possible that you will be shocked after the first audit at the shear number of findings. This is not necessarily bad. A long list of recommendations could show that the firm doing your audit was very thorough and provide you with a solid basis for improvement. The most important part to reviewing the audit results is repetition – you want to make sure that a long list of recommendations is no repeated on subsequent years. Use the list as a chance to improve so that the audit firm is not continually finding the same problems year after year.