The security awareness in an Organization usually increases after being exposed to an IT audit. Having someone assess your security work, review your documentation and write a final report can be an eye opener into what is actually expected. It is not enough to say you have a security culture and take IT security seriously. You have to prove it.
What is an IT audit?
The quick answer is that depends. Why does it depend? Because there are many types of audits, and you can audit from many angles. Do you audit the IT systems as part of a Financial audit, as a compliance to some regulation, a code review or as an independent status report in an ongoing implementation project?.
As you can see there are many different meanings to an IT audit. The kind of IT audit we will focus on in this document will be the “regular” IT Audit that is normally used as part of Financial audit. This type of audit is usually the basis for SOC (Service Organization Control) reports.
Purpose of the audit
The purpose of an IT audit is to verify that IT risks are identified, mitigated and managed. The bigger the Organization, the harder it is to keep track of everything that is going on. Risks that are not identified and treated can lead to serious incidents that can harm the Organization, both financially and reputationally. The IT Auditor will therefore ask themselves, what can go wrong?.
Answering that question, they will look for processes that attempts to manage that risk. When the process has been identified, the auditor will look for controls that supports the adherence to the process. The results of an IT audit will be summed up in an audit report.
The audit report is a chance for the board, the stockholders, third parties and other stakeholders to get an independent status. The audit report should give assurance that sound IT processes are implemented and followed to reduce risk. It will show whether or not the Organization is complying to rules, regulations and their own policies.
Parts of an audit
When doing an IT audit, the auditor should always ask what could go wrong. The answers will depend on the size of the Organization, the complexity of the IT systems etc. Based on this initial assessment the auditor will plan their IT Audit. What systems will be in scope for the audit, what is the extent of the scope and if there are any especial risks that needs to be evaluated.
An IT auditor will usually be more interested in active risk evaluations, security policies and compliance with processes than fancy new technology. A new next generation firewall (NGFW) is not important without a risk assessment why it was needed and processes on how to configure it and monitoring the traffic. Some processes though are considered so essential that they will usually always be a part of the IT audit.
Change management is an essential process that should be part of every Organization. It is the alpha and Omega of ensuring that changes are registered and handled correctly. The change management process is so common that it is one of the most known processes that is part of the best practices’ framework called ITIL. ITIL defines a change as: "the addition, modification of removal of anything that could have an effect on IT services". Without a change management process or with an inefficient process there is a risk that:
- Changes are implemented without proper authorization. This can occur costs that where never authorized. It can take a software or system in a direction that was not planned or goes against the authorized plan. It can also introduce code to a software that can be malicious or that will give the opportunity for fraud or embezzlement.
- Changes are introduced into the production environment without being thoroughly tested. Such changes can introduce bugs that make the production environment crash, leading to downtime, complaints and a lot of extra work restoring the system.
- Lack of segregation of duties, which mean that one person has the power to create the change and introduce it into production without anyone else knowing about it. This increases the risk for fraud, deliberately introduced bugs and bad coding practices.
- Lack of change register, which means that there is no control with what changes was introduced when and by whom. When was the system upgraded, was the security patch applied, who added that functionality and when was that database deleted? These are all questions that a change management process should be able to answer.
Unlike IT General controls that are general controls and processes that apply for all systems, the application controls are specific controls for a specific system. Application controls are also automatic controls that once set up should work the same way all the time automatically. The purpose of the application controls is to protect the confidentiality, integrity and availability of the application and its associated data. Some application controls are hardcoded into the application, while other controls are open for configuration by the Organization. Application controls comes in many shapes and forms and can be categorized as:
- -Completeness checks – ensures completion of process, analogues to required fields.
- -Data Validation checks – ensures the validity of the inputted data according to expected values. A field expecting a value will not accept a word or special characters, or a field expecting a credit card number will require a certain number of digits in a specific format.
- -File Controls – verification of file types permitted to be associated with the application or run on the system
- -Range check or value check – ensures that the inputted value is within expected range. A price field may not accept negative numbers, or number above a certain price.
- -Duplicate check – ensures that no duplicate record exist
- -Sequence check – ensures that logical sequence is followed
- -Key verification – verification of cryptographic keys
- -Identification controls – ensures that the user or application that attempts to communicate is identified.
- -Authorization controls – ensures proper user authorization for performing a given action. This is closely linked to user management and role-based access control. If a user is given a role that gives access to financial data but not HR data, the application control should prevent that user from accessing HR data.
Knowing how an IT audit works, the Organization can prepare by implementing processes and controls that are expected. They can also start gathering and document the audit evidence that is needed. It can be both embarrassing and humiliating for an Organization that thinks they have IT security under control to completely fail on an audit.