- 290 hits
IT audits evaluate an organization's ability to protect information assets and verify that the risks of anything compromising IT systems and information are as low as possible.
Audits will cover the IT systems' availability, the integrity of the organization's information in terms of accuracy and reliability and determine which areas pose risks that need to be addressed.
By doing audits, IT leadership is proactive about identifying what improvements can or must be made to avoid unnecessary risks.
IT audits can focus on different types of topics, from very technical to more managerial or strategic. Starting with the technical evaluation, IT auditors can look at:
- Communication and network security
- All companies have numerous systems that are accessible over the internet, so network vulnerabilities are key in making sure only authorized users have access.
- Identification and Access Management (IAM)
- The management of user roles and the system access they have is very complex, so IT Auditors evaluate how these are set up because any glitches would create risks.
- Asset security
- Large companies have data centers, server rooms and similar places where physical equipment is located and they provide users with PCs, laptops and mobile devices. IT Auditors evaluate what risks may exist in terms of people's physical access to equipment and the things they can do with end-user devices, such as the ability to install software, etc.
- Secure architecture and engineering
- Companies put together complex "stacks" of technology components and use many products from vendors in doing so. IT Auditors evaluate how this architecture works and if elements in it create risks.
- Software development security
- Companies can have large groups of software developers that write software. IT Auditors evaluate how the development and testing process works, so no person can introduce malicious code in production systems. Similarly, the steps by which a company moves systems from the test environment to the live production platform is also checked in detail.
- Security assessment and testing
- Over the years, a large knowledge base of vulnerability testing has been developed. IT Auditors will perform these tests, manually and with "hacking tools" to confirm that systems are working as expected, or to uncover any items that need more work.
At a more strategic level, IT Auditors may also evaluate the company's technical innovation process and how current technologies are.
Formal discipline is now normal
Many years ago, some IT professionals and managers would find IT audits more frustrating and annoying than useful, because they kept them from doing "real IT work". In this day-and-age of hacking and cyber security threats, it is abundantly clear that all organizations need to safeguard their IT assets as much as possible and that IT audits are very important for uncovering any weaknesses in IT management.
The need for specialized IT Auditors is also no longer in question and has been formalized in certifications such as the Certified Information Systems Auditor (CISA) by the ISACA organization.
General discussion of IT Audit roles
A discussion of IT Auditing steps