What are some of the most common IT audit findings? I am a security manager at a medium-sized enterprise, and we are about to be audited for the first time. I'm not necessarily worried that we won't pass, but I was hoping you could provide some of the most common IT audit scenarios that you have encountered and, subsequently, how to quickly remediate them.
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
The key to success in an IT audit is understanding exactly what the auditors will be looking at when they arrive. This should never be a secret -- auditors should always be willing to share with you their audit plan and the specific standard that you're being audited against. Therefore, I suggest that you begin your preparation for your audit by reviewing yourself against the same standard that the auditors will use. Have you thoroughly addressed each of the requirements, and are you prepared to provide evidence demonstrating that you've done so?
There are also some recurring themes that occur in IT audits across industries that you should think about as you prepare for your audit. These include:
Retaining an audit trail for access permission changes -- Your auditors will expect to see that you've carefully documented all requests for accounts and privileges, and retained an audit trail demonstrating that someone with the appropriate authority made access decisions. Your demonstration of this may be easy if you have an automated access request management system. If you're relying on paper records or spreadsheets, this is an area to go through with a fine-tooth comb.
Preserving separation of privileges -- Sensitive transactions require more than one person to execute. For example, in the realm of financial transactions, systems should be set up to prevent the same person from being able to create a new vendor and approve payments to that vendor in order to limit the risk of financial malfeasance. You should review all of the sensitive transactions in your organization to ensure that you've adequately implemented privilege separation.
Implementing strong vendor management -- With the growing use of cloud services across industries, auditors are beginning to scrutinize these relationships, especially when they impact sensitive information. Be sure that you've documented all of these relationships and have contracts in place that provide adequate controls for your sensitive data.
These starting points will help prepare your organization for its next audit. Keep in mind, of course, that the specific items that attract an auditor's attention will depend upon your industry, past experiences and the auditors themselves.
This was first published in October 2012