If you’re running a business or managing a project, the impact of a cyber criminal on your company can be catastrophic. They can steal costumer data and ruin your reputation. It’s something many don’t recover from. And, unlike in the physical world, where bad neighborhoods are more clearly demarcated, cyber threats can be like a trojan horse. They can appear friendly, but when your guard is down they ransack your data.
The threat can be internal, too, such as a disgruntled employee sabotaging everything you built for years in seconds. Bottom line: technology is useful, but it’s also vulnerable. That’s why organizations must do an IT audit to make sure their data and network is safe from attack. An IT security audit might be the only thing standing between success and failure.
What Is an IT Audit?
Audits sound bad. Nobody wants to get that letter announcing the IRS is about to open an audit on your financials. But an audit only means an official inspection of one’s accounts. An information technology audit is therefore an official examination of the IT infrastructure, policies and operations of an organization. It also adds an evaluation, to suggest improvements. IT audits have been going on since the mid-1960s and continuously evolving since that point as the technology advances.
You can think of this as an IT security audit. The point is to see if the IT controls in place are properly protecting the company’s assets, ensuring the integrity of the data, and staying in line with the goals and objectives of the company. This means that everything that involves IT is inspected, from physical security to the overall business and financial concerns.
Five Categories of IT Audits
In broad strokes, an IT audit can be broken into two: general control review and application control review. But, if you want to get more specific, here are five categories of a well-executed audit.
- Systems & Applications: This focuses on the systems and applications within an organization. It makes sure they are appropriate, efficient, valid, reliable, timely and secure on all levels of activity.
- Information Processing Facilities: Verifies that process is working correctly, timely and accurately, whether in normal or disruptive conditions.
- Systems Development: To see if those systems which are under development are being created in compliance with the organization’s standards.
- Management of IT and Enterprise Architecture: Making sure that IT management is structured and processes in a controlled and efficient manner.
- Client/Server, Telecommunications, Intranets and Extranets: This spotlights telecommunication controls, such as a server and network, which is the bridge between clients and servers.
Who’s In Charge?
An IT auditor is responsible for the internal controls and risks associated with an organization’s IT network. That includes identifying weaknesses in the IT system and responding to any founds, as well as planning to prevent security breaches. There are certifications for this skill, such as a certified information system auditor (CISA) and certified information systems security professionals (CISSP).
What’s a Good Frequency?
While there are no hard rules on frequency, regular IT security audits must be a part of an organization’s perennial efforts. They take time and effort, so it’s a balancing act. It’s best to investigate how often other organizations in your industry and size, etc., conduct theirs to get a baseline.
IT Audit Best Practices
The process of conducting an IT audit is complex and touches on all aspects of your information system. There are overreaching general management issues and policy to consider. There’s also security architecture and design, systems and networks, authentication and authorization and even physical security. It involves continuity planning and disaster recovery, like any good risk management.
There are, too, some overriding best practices that can steer you through the maze, so you start and finish effectively. These five tips will help you conduct an IT security audit properly.
- Scope: By knowing the scope of the audit ahead of time, you’re more likely to have an audit that runs without problems. For one thing, you’ll want to involve all relevant stakeholders when planning. Speak to those who are working in the IT environment. They can help you understand what risks you’re looking to identify and understand the current capabilities of the system. This way you’ll have a better idea if there’s a need to adopt new technologies or not. Also, know the applicable laws and regulations to make sure you’re compliant.
- Outside Resources: You might have a team assembled in-house who are able to run the IT security audit themselves or you might need to seek outside contractors to help with parts or the whole thing. This must be determined beforehand. You might have an IT audit manager or need to hire a consultant, who can then train the team on what to keep an eye out for in-between IT audits.
- Implementation: Know that inventory you have and put these systems down in a list organized by priority. Know industry standards, methods and procedures to make sure you’re keeping up with the most current practices. Evaluate your audit to see if assets are protected and risks mitigated.
- Feedback: IT audit reports can feel like they’re in a different language if you’re not an IT professional. For the audit to be effective, the audit must be clear to those who are decision-makers. The IT auditor should give the report in person and field any questions, so that when done there is no question about the work and whatever vulnerabilities were discovered.
- Repeat: An IT audit isn’t a one-time event, of course, but in-between audits there is still work to do. That includes offering recommendations going forward, using IT software that can automatically monitor systems, users and assets. It’s a good idea to have a plan set up to review applicable laws, regulations and new developments quarterly, as the technology space is notoriously fast moving.
ProjectManager.com for IT Audit
When doing an IT audit, there are many tasks that probably require a team to execute. Sounds like a project. While there are software packages that are designed to monitor IT security, an audit is a different animal and can benefit from a project management software to control it effectively.
Every audit can be broken down into a series of tasks, just as you use a work breakdown structure (WBS) to take a large project and break it up into smaller, more manageable pieces. A task list can be prioritized and then that spreadsheet uploaded into ProjectManager.com, where it’s transformed from a static sheet to a dynamic tool.
Visualize the Workflow with Kanban
Once imported, the task list can be viewed in a variety of ways. There is the kanban board that visualizes workflow. The various tasks are individual cards, which are organized by columns that state whether the work is to be started, in progress or done. These cards can be assigned to one or more team members, who can comment directly on them to collaborate. Files and images can also be attached.
Make an Audit Schedule with Gantt
Another view is the Gantt. This shows your task list to the left and populates those tasks across a timeline to the right. The tasks can again be assigned, collaborated on and tracked. ProjectManager.com is a cloud-based software, so all status updates are instantly reflected. Task dependencies can be linked to avoid blocking team members and if deadlines need to change that can be done with a simple drag and drop of the task timeline.
Project Dashboards for Monitoring the Audit
In terms of monitoring the progress of the IT security audit and reporting back to management, ProjectManager.com has a real-time dashboard. It keeps the project leader abreast of what’s going to and crunches the numbers automatically, displaying project metrics in clear and colorful graphs and charts. These can then be filtered to reflect the data you want and shared or printed out for a presentation.
ProjectManager.com also has many free templates to assist with various phases of any project. Our IT risk assessment template is a great place to start when doing an IT audit.
Information technology is part of almost every organization. The benefits are great, but so are the risks. ProjectManager.com is a cloud-based project management software that helps IT professionals manage the complex tasks involved in an IT audit. Try it free today with this 30-day trial.