How to carry out an IT Audit

by | IT Industry

How to carry out an IT Audit

You may not think you need one – in fact 62% of IT professionals have revealed how employers don’t regularly perform security audits until something goes wrong – however, IT audits are essential to EVERY business. Not only do they ensure that your IT systems and procedures remain fully optimal and protected from threats; regular IT assessments will enable you to keep on fulfilling your business operations and objectives.

They also are ideal for demonstrating to your customers that your IT processes are secure, efficient and are a cut above the competition.

And this is vital because at the end of the day, should you face a cybersecurity breach, it will be YOU who is in the firing line. No one else. Just your business. So whilst the idea of having an audit may sound scary – no one likes being criticised for their weaknesses – should you fail to do your duty as an IT professional, your business will ultimately fail because customers will lose faith in your ability to protect their personal data.

For this reason alone, you should endeavour to get IT audits done regularly. Not only will it save you the time and money of having to repair the issue; they will build up trust and loyalty amongst your customers, as they’ll be able to see that you care about their data.

To help you on your way, we have created a list of questions that you should always ask when getting a basic IT audit – especially if you’re a novice or haven’t got time to conduct an in-depth audit yourself.

These questions can help you to form a solid foundation of understanding that will enable you to successfully hire an external IT auditor – such as Economit – who can fulfil all of your auditing needs, whilst providing you with the best IT solution moving forward.

So take a look at these questions and bear them in mind – no matter whether you’re doing the audit yourself or are interviewing for an external auditor.

Question One: How well do you understand your business?

Before you start, it is important that you understand certain elements of your business, primarily your:

  • Business objectives
  • Recent financial information
  • Business operations and offerings
  • Any previous audit information

Auditors will take these into account when assessing your business and will tailor their advice/suggestions to accommodate your long term goals, offerings and previous audits.

Question Two: What do you want auditing?

You need to define the scope of the audit and decide whether you want to look at your IT as a whole, or whether you want to look at a particular area or process.

We recommend that you first make a list of all your assets – including computer equipment, sensitive company and customer data, etc. – before defining your security perimeter. This perimeter will split your assets into two pots: things you will audit and things you won’t. NOTE: you don’t need to audit everything. Instead, focus on your most valuable assets.

Once you’ve established this list, you can create a documented plan of what you want to do and then pass it onto all relevant people in the organisation. Not only will this make them aware of what you’re looking at; it will also ensure that you don’t miss anything important as you’ll be able to see clearly what areas are getting assessed.

TIPS:

  • Never make assumptions about your IT audit – you should never assume that your auditor will receive copies of your policies and system configuration data, or that they will look at them. You’ll need to agree from the beginning that you want these reviewing.To help with this, you should provide them with basic data and documentation so that they can analyse your system i.e. copies of relevant procedures and policies; a full list of your operating systems; external security devices; a list of application software, and network topology (including target IP ranges).
  • Involve your business and the IT unit managers of your audited systems – they should be included in the process early on, as they can ensure that everything processes the way you want them to.
  • Once you’ve decided what you want auditing, you will need to specify any restrictions to your chosen auditor. This can include times of day or testing methods where they cannot access them. By making them aware early on, this will minimise their impact on your production systems.Likewise, you should provide them with an indemnification statement which gives them authorisation to probe the network.

Question Three: What are your objectives?

Again, these should be made clear from the start, so there are no mistakes or confusion over what your auditor should look out for/bear in mind when performing the audit. After all, how can they provide you with advice if they don’t have a detailed understanding of your business objectives?

Similarly, fail to provide them with a detailed outline of your objectives, and there is a greater risk of a security breach because they won’t have known to look out for them in your system (as it was outside the scope of their audit). The key is to be thorough and make sure you cover everything.

To give you an idea, your objectives should consist of ensuring that all of your IT Systems and Procedures are:

  1. Secure – you need to be aware of the types of cyberattacks that can threaten a business e.g. phishing, malware, negligent employee behaviour, etc. Each of these can impact on your IT systems and potentially expose personal data.
  2. Ethical and legal
  3. Cost effective
  4. High performing and time effective
  5. Contribute to achieving your business objectives

Question Four: What areas need assessing and analysing?

Continuing on from the question above, you need to narrow down which areas you want assessing and analysing during the audit. Typically, IT audits aim to examine your internal controls and make sure that they are functioning at optimal levels. So should something negative occur, there will be minimal risk to the business.

As such, before the audit you should identify your pain points and determine whether your existing controls are enough to protect your assets; sustain data integrity, and maintain consumer confidentiality.

To achieve this, you would want to review your:

  • IT Infrastructure
    • Is everything working together in partnership or are there clashes and gaps in the different software?
    • Is everything accredited and following the correct standards?
  • Hardware & Software
    • Are you using the right tools for your business objectives?
    • Do these tools do everything that you need them to?
      • For instance, do they offer you more functionality than you actually need or are they underperforming and lacking? If the answer is ‘yes’ to either of these, then you need to ask if there are others tools you can use that won’t charge you for functions you aren’t using.
    • Does old hardware need to be audited? – the answer to this is yes. You must ensure all outdated and old pieces of equipment are audited, and if possible have the data wiped from them.
    • How do these tools help you to meet your business objectives? Is it the most streamlined way for you to achieve your goals or are there better tools and processes?
    • How do these tools perform? Are they good at their job or are they prone to regular bouts of downtime or slow performance?
    • Do they have any recommendations for any adjustments that can help improve their performance?
  • Licensing & Guidelines
    • Is your business running IT operations ethically?
    • Do they adhere to all safeguarding guidelines?
    • Is data being gathered and stored according to the appropriate legislation?
  • Landline and Mobile Communications
    • What does your business NEED to communicate effectively (internally and externally) across teams/departments?
    • Do your current communication solutions provide you with the quality of communication that you need? If not, what can you do to enhance communications for maximum effectiveness?
    • Is there another solution that would provide the same amount if not a higher form of communication but at a lower price?
  • IT Support Providers & Resource
    • Are your IT support providers the best for your business? i.e. do they complement the services you provide to customers?
    • Is the IT support you’re receiving supporting your business operations (and ensuring that they are running smoothly)? Or is it a struggle to apply the advice and support correctly to your procedures?
    • Are you receiving the amount of support you need?
      • Do you need more or less?
      • Do you expect a different level of support based on the cost of the service?
  • IT Security – you need to ensure that the products and services you’re using keep your IT infrastructure safe.
    • Are the products and services you’re using secure? If not, can they recommend any products, services or changes that will ensure that your IT infrastructure remains safe and secure? For example: firewalls, antivirus, anti-spam filters, regular data back-up, multi-factor authentication, user privilege (manage how much access individuals have got), etc.
    • Are your employees aware of potential security threats and how to correctly handle them? Are all employees aligned with their role within the security process? REMEMBER: your employees are your first line of defence, so they need to be trained to spot suspicious activity and the protocols for dealing with them.
    • Are there any changes they would recommend that could make your system more secure and beneficial to your business?

Alongside these questions you should make a list of all the threats that your data faces:

1. Malware, ransomware, hacking – external hacking is one of the biggest threats a business can face. Good examples of this are: worms, Trojan horses, spyware, etc.
2. DoS (Denial of Service)  – this kind of attack can prevent legitimate users from accessing specific computer systems, devices, services and IT resources, as it tends to flood servers, systems and networks with traffic in a bid to overwhelm your resources.
3. Malicious misuse – sadly, data can easily be misused or leaked by staff and third-parties (accidentally).
4. Inadvertent misuse – this is often the result of an honest mistake by employees but can lead to your security becoming compromised.
5. Phishing – hackers use social engineering techniques i.e. spam emails, to get your employees to willingly give up personal information. Most are pretty obvious, but some hackers can make them look real and convincing.
6. Poor employee passwords that are used to protect sensitive data – 81% of hacking breaches are due to poor/weak/repetitive passwords.
7. Bring your own device – if your business allows employees to use their own device, this gives perpetrators a larger surface area to attack. This means any device that has access to your systems could get hacked. As a result, all devices with this kind of access need to be accounted for.

  • IT Procurement
    • Are there any weaknesses in your procurement system which need to be addressed? What can you do to make it stronger?
    • Is your procurement process secure? What potential threats are there?
    • Is your procurement process time and cost efficient?
    • Is your procurement process managed by someone with a clear understanding of your day to day business operations and IT systems?

Next steps…

We mentioned the idea of hiring an external auditor at the beginning of this article, and we did so for a reason.

True, relying on internal staff from your IT audit would be a lot cheaper and more convenient. However, due to the complex nature of performing an audit e.g. checking operating systems and applications; going external will give you the peace of mind that everything has been thoroughly checked and that your processes are truly secure.

And this is important, as IT audits do more than identify risks to your technology platform. They also consist of in-depth reviews of your current policies and procedures, as well as a detailed examination of your network and system configurations.

These are not straightforward tasks and need to be handled by an IT professional who is also not biased towards/affiliated with your business.

For instance, top auditing companies use an array of cybersecurity auditing software to help them perform their audits – can you achieve the same in-house?

Because of this, we strongly advise hiring an IT auditor who can offer you the depth of security knowledge that you need.

Hire someone who has got:

  • Extensive work experience of performing IT audits on top of impressive qualifications/credentials.
  • A strong resume – check what other security projects they have worked on.
  • Decent references

Conclusion

In many ways, you can use these questions as guidelines to help inform your own internal audit and ensure that your report is detailed, thorough and clearly outlines your recommended changes.

With their guidance, the report you pass on (to the relevant decision maker), will make it easier for them to make an informed decision about your suggestions.

If on the other hand, you choose to outsource this task to an external auditor such as Economit, you can use these questions to better inform your understanding of the auditing process. This can provide you with complete peace of mind that we are covering all of the bases.

Instead, Economit will take a thorough, investigative and analytical approach to your audit, whilst offering impartial and independent advice.

To book an IT audit, contact our team today.

Mike Donoghue

Mike co-founded Economit in September 2011. Working as a Fractional CIO for Economit’s clients, Mike is very much at the forefront of the business.

Mike's insights

Recent INSIGHTS