Security Awareness Through IT Audits
Security awareness in an organization often increases after being exposed to an IT audit. Having someone assess your security efforts, review documentation, and write a final report can be eye-opening in terms of what is actually expected. It’s not enough to say you have a security culture and take IT security seriously—you have to prove it.
What Is an IT Audit?
The quick answer is: it depends. Why? Because there are many types of audits, and they can be conducted from different perspectives. Are you auditing IT systems as part of a financial audit, for compliance with a regulation, for a code review, or as an independent status check during an ongoing implementation project?
As you can see, “IT audit” can mean different things in different contexts.
In this article, we’ll focus on the “regular” IT audit typically conducted as part of a financial audit, which often forms the basis for SOC (Service Organization Control) reports.
Purpose of the Audit
The purpose of an IT audit is to verify that IT risks are identified, mitigated, and managed. The larger the organization, the harder it becomes to keep track of everything happening internally. Risks that are not identified and addressed can lead to serious incidents, causing financial loss or reputational damage.
The IT auditor’s key question is: “What can go wrong?”
Once that question is asked, they’ll look for processes designed to manage those risks. Once a process is identified, the auditor will look for controls that support its consistent execution.
The results of the audit are documented in an audit report—a valuable resource for the board, shareholders, third parties, and other stakeholders. It provides independent assurance that sound IT processes are in place and being followed. The report will also assess whether the organization is in compliance with laws, regulations, and internal policies.
Parts of an Audit
When conducting an IT audit, the auditor should always begin by asking, “What could go wrong?” The answer will vary based on the organization’s size, the complexity of its IT systems, and other factors.
Based on the initial assessment, the auditor will define the scope—which systems are included, how extensive the audit will be, and whether there are specific risks that need special evaluation.
An IT auditor is typically more concerned with risk evaluations, policies, and process compliance than with shiny new technologies. For example, a next-generation firewall (NGFW) means little without a risk assessment justifying its implementation, and without clearly defined processes for its configuration and traffic monitoring.
Some processes, however, are so essential that they’re almost always included in any IT audit:
Change Management
Change management is an essential process in every organization. It is the alpha and omega of ensuring that changes are properly recorded, evaluated, and implemented. The change management process is one of the best-known components of the ITIL (Information Technology Infrastructure Library) framework.
ITIL defines a change as:
“The addition, modification, or removal of anything that could affect IT services.”
Without a robust change management process—or with an inefficient one—several risks arise:
- Unauthorized changes may be implemented, resulting in unapproved costs or unintended system behavior. They may also introduce malicious code or create opportunities for fraud.
- Unverified changes might be deployed into production without adequate testing. These can lead to bugs, system crashes, and costly downtime.
- Lack of segregation of duties means one person could both create and deploy a change without oversight. This increases the risk of fraud, poor coding practices, or deliberate harm.
- No change log means there’s no visibility into what changes were made, by whom, or when. Questions like “Was the system upgraded?”, “Was the security patch applied?”, or “Who deleted that database?” become hard to answer.
A proper change management process ensures all of these issues are addressed systematically.
Application Controls
Unlike IT general controls (which apply across all systems), application controls are specific to individual applications. They are usually automated and function consistently once configured.
The goal of application controls is to ensure the confidentiality, integrity, and availability of the application and its data. Some controls are hardcoded, while others can be configured by the organization.
Examples of application controls include:
- Completeness Checks – Ensure required processes or fields are completed.
- Data Validation Checks – Verify that inputs meet expected formats (e.g., a credit card field requires 16 digits).
- File Controls – Restrict which file types can be used or executed.
- Range/Value Checks – Ensure values fall within allowed limits (e.g., no negative prices).
- Duplicate Checks – Prevent duplicate records.
- Sequence Checks – Ensure operations occur in a logical order.
- Key Verification – Verify cryptographic keys are correct.
- Identification Controls – Confirm the identity of users or systems communicating with the application.
- Authorization Controls – Ensure only authorized users can perform certain actions. These are closely linked to user management and role-based access control (RBAC). For example, a user with access to financial data should not have access to HR records if it’s not part of their role.
Summary
By understanding how an IT audit works, organizations can prepare by implementing the expected processes and controls and by collecting the required audit evidence in advance.
An organization that believes it has its security under control may be surprised—and even embarrassed—when it fails an audit due to missing documentation, unclear processes, or unmanaged risks. Proactive preparation is key to success.