The security awareness in an Organization usually increases after being exposed to an IT audit. Having someone assess your security work, review your documentation and write a final report can be an eye opener into what is actually expected. It is not enough to say you have a security culture and take IT security seriously. You have to prove it.
The quick answer is that depends. Why does it depend? Because there are many types of audits, and you can audit from many angles. Do you audit the IT systems as part of a Financial audit, as a compliance to some regulation, a code review or as an independent status report in an ongoing implementation project?.
As you can see there are many different meanings to an IT audit. The kind of IT audit we will focus on in this document will be the “regular” IT Audit that is normally used as part of Financial audit. This type of audit is usually the basis for SOC (Service Organization Control) reports.
The purpose of an IT audit is to verify that IT risks are identified, mitigated and managed. The bigger the Organization, the harder it is to keep track of everything that is going on. Risks that are not identified and treated can lead to serious incidents that can harm the Organization, both financially and reputationally. The IT Auditor will therefore ask themselves, what can go wrong?.
Answering that question, they will look for processes that attempts to manage that risk. When the process has been identified, the auditor will look for controls that supports the adherence to the process. The results of an IT audit will be summed up in an audit report.
The audit report is a chance for the board, the stockholders, third parties and other stakeholders to get an independent status. The audit report should give assurance that sound IT processes are implemented and followed to reduce risk. It will show whether or not the Organization is complying to rules, regulations and their own policies.
When doing an IT audit, the auditor should always ask what could go wrong. The answers will depend on the size of the Organization, the complexity of the IT systems etc. Based on this initial assessment the auditor will plan their IT Audit. What systems will be in scope for the audit, what is the extent of the scope and if there are any especial risks that needs to be evaluated.
An IT auditor will usually be more interested in active risk evaluations, security policies and compliance with processes than fancy new technology. A new next generation firewall (NGFW) is not important without a risk assessment why it was needed and processes on how to configure it and monitoring the traffic. Some processes though are considered so essential that they will usually always be a part of the IT audit.
Change Management
Change management is an essential process that should be part of every Organization. It is the alpha and Omega of ensuring that changes are registered and handled correctly. The change management process is so common that it is one of the most known processes that is part of the best practices’ framework called ITIL. ITIL defines a change as: "the addition, modification of removal of anything that could have an effect on IT services". Without a change management process or with an inefficient process there is a risk that:
Unlike IT General controls that are general controls and processes that apply for all systems, the application controls are specific controls for a specific system. Application controls are also automatic controls that once set up should work the same way all the time automatically. The purpose of the application controls is to protect the confidentiality, integrity and availability of the application and its associated data. Some application controls are hardcoded into the application, while other controls are open for configuration by the Organization. Application controls comes in many shapes and forms and can be categorized as:
Knowing how an IT audit works, the Organization can prepare by implementing processes and controls that are expected. They can also start gathering and document the audit evidence that is needed. It can be both embarrassing and humiliating for an Organization that thinks they have IT security under control to completely fail on an audit.