IT Audits

Keep your IT system and your company safe with IT audits
By Judy Artunian, Freelance Writer When you commission an IT audit, you bring in an IT auditor to conduct a risk assessment. Your auditor will evaluate how well your organization’s information technology controls are minimizing the risk that your IT system will malfunction. IT audits will also alert you if aspects of the system aren’t complying with certain laws and regulations. Depending on your audit’s goals, the auditor will put various processes under the microscope, including your information security system, your e-mail retention policies and even the way you run your IT department. When the IT audit is complete, the auditor should spell out the steps you can take to improve your controls and make your system more secure.
 

IT audits can give you peace of mind on a number of fronts. For example:

1. IT audits will ensure that your company is complying with laws and regulations such as The Sarbanes-Oxley Act, The Health Insurance Portability and Accountability Act and the Payment Card Industry Data Security Standard.

2. You want your IT system to be up and running as quickly as possible after a catastrophic event. An IT audit will confirm that your disaster recovery plans include procedures to make that possible.

3. If there are cracks in your information security controls, IT audits will catch them.

Ask an independent IT auditor to conduct your IT audit

Seek out an experienced, certified IT auditor who can be objective. That means anyone who works directly with the systems to be audited is out of the running. If there are no qualified IT auditors in your organization, outsource the job.
Try: CynergisTek consultants can perform your IT audit or work with your internal IT audit staff. Protiviti’s risk consulting services includes IT auditing. Percento Technologies can perform IT audits on your network architecture, configuration and security measures. IT auditors should be certified by the Information Systems Audit and Control Association. If the auditor will be examining your security controls, look for a certification from (ISC)².

Conduct your own IT audits with IT audit software

Nothing replaces a thorough investigation by an objective IT auditor, but you should routinely test your IT system controls with specialized IT audit software.
Try: Check out IT audit software programs, such as MetricStream’s IT Audit Management and Altius Information Technologies’ risk management suite.

Learn the ABCs of IT audits

Find out how to get ready for an upcoming IT audit, and stay up-to-date on issues that could impact your audit.
Try: Prepare for IT audits by downloading an IT audit checklist from The IT Compliance Institute. The MIS Training Institute offers IT audit and information security training, conferences and seminars. IT Audit magazine, published by the Institute of Internal Auditors, keeps you updated on information technology issues related to IT audits.

• Before you launch an IT audit, determine exactly which systems and procedures should be audited. Only then can you bring in the right IT auditor for the job.
• When evaluating potential IT auditors, look for professionals with experience in your industry.
• Remember that your IT auditor is on your side. IT auditors report that some clients see them as the bad guy who is on the hunt for ways to make the client look bad. The result is a client who becomes defensive when an IT auditor pinpoints problems that need to be fixed.