IT Audit: Because you know I'm all about that Scope, 'bout that scope.

The term IT Audit is so often used and misused by IT and business professionals in all industries.

According to Wikipedia, IT Audit is defined as, “an examination of the management controls within an Information technology (IT) infrastructure. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives.”

Ok, that’s not bad, but it is also incomplete.  It doesn’t speak to the People, and Process part of the picture, only the Technology.

I should mention one more thing before moving on. There are really two dimensions; physical and logical. Physical is essentially as it sounds-the brick and mortar facilities owned or leased by a company, and any third-party provider facilities that the company uses i.e. Rackspace or SunGard that may host the company’s systems. The logical element is the network or systems where the data traverses, or is at rest. As an IT Auditor, we will be looking at one or both of these dimensions.

The keys to performing a good audit are attention to detail, and good, early communications. On every audit, it is critical to set the expectations out of the gate. The number one thing is scope…. It is all about the scope. Clearly review what elements of the environment are in scope and what are not in scope. The next important thing is to articulate to what framework you are auditing the scope to. In other words, are you auditing the environment to a law, a regulation, a standard, or best practices?

I think it is important to understand some of the terminology before driving this thing home. What is a Control or Control Objective you ask? Glad you asked! A control is something physical or logical that is put in place to mitigate a risk. A risk is a control weakness. One or more controls roll up to a control objective. Consider the following example: 

A control objective may be to “restrict unauthorized access to a facility”.  The controls that roll up to meet that control objective may include a locked door, cameras, an alarm, and a guard. The aggregate of these controls is tested by the auditor to determine if they function as designed. Together these controls reduce the risk to reasonable levels and effectively mitigate the risk of unauthorized access to the facility.

Ok, now that you understand the nomenclature, let’s get back to the IT Audit at hand. These things don’t take care of themselves. Once the scope is clearly defined, and it is clear what you are auditing the environment to, then the meat of the audit process can begin.

The IT auditor creates the audit plan, which is where control objectives and tests are defined in preparation for the actual audit fieldwork. From the plan, a request list of evidence is compiled and provided to the party being audited. The auditee must gather together all the requested artifacts for the auditor to examine. This is where the testing of controls really begins.

Time is scheduled for the auditor to perform a walkthrough of the facilities and to interview several critical resources that manage or work within the area(s) being audited. The auditor then goes onsite and observes the environment focusing on the scope of the audit, and observing physical controls throughout the environment.

The IT auditor observes and reviews artifacts provided for each control tested to determine if it is operating effectively as designed. Anywhere the tests fail, and a control weakness is identified, a level of risk is applied to the control weakness depending on where the control resides in the environment and several other factors. When all the controls have been tested, an overall opinion is asserted about the audited environment, and an Audit report is issued.

That was the 20,000-foot overview of an IT Audit, next time we will delve into root canals and tooth decay.

If you are just getting started with your Information Security Program and Audit program and need some areas to focus on, a great place to start is the Center for Internet Security Top 20 Critical Security Controls. To learn more about these controls, download our eBook.

Remember, if you want your financials audited or your taxes done, call a CPA firm, but if you want an IT Security or Compliance Audit performed call a firm that specializes in IT Audit, Security, and Compliance – Compass IT Compliance, LLC.