What are some of the most common IT audit findings? I am a security manager at a medium-sized enterprise, and we...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
are about to be audited for the first time. I'm not necessarily worried that we won't pass, but I was hoping you could provide some of the most common IT audit scenarios that you have encountered and, subsequently, how to quickly remediate them.
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
The key to success in an IT audit is understanding exactly what the auditors will be looking at when they arrive. This should never be a secret -- auditors should always be willing to share with you their audit plan and the specific standard that you're being audited against. Therefore, I suggest that you begin your preparation for your audit by reviewing yourself against the same standard that the auditors will use. Have you thoroughly addressed each of the requirements, and are you prepared to provide evidence demonstrating that you've done so?
There are also some recurring themes that occur in IT audits across industries that you should think about as you prepare for your audit. These include:
Retaining an audit trail for access permission changes -- Your auditors will expect to see that you've carefully documented all requests for accounts and privileges, and retained an audit trail demonstrating that someone with the appropriate authority made access decisions. Your demonstration of this may be easy if you have an automated access request management system. If you're relying on paper records or spreadsheets, this is an area to go through with a fine-tooth comb.
Preserving separation of privileges -- Sensitive transactions require more than one person to execute. For example, in the realm of financial transactions, systems should be set up to prevent the same person from being able to create a new vendor and approve payments to that vendor in order to limit the risk of financial malfeasance. You should review all of the sensitive transactions in your organization to ensure that you've adequately implemented privilege separation.
Implementing strong vendor management -- With the growing use of cloud services across industries, auditors are beginning to scrutinize these relationships, especially when they impact sensitive information. Be sure that you've documented all of these relationships and have contracts in place that provide adequate controls for your sensitive data.
These starting points will help prepare your organization for its next audit. Keep in mind, of course, that the specific items that attract an auditor's attention will depend upon your industry, past experiences and the auditors themselves.
Dig Deeper on IT Security Audits
Related Q&A from Mike Chapple
The OWASP Top Ten list is not a compliance standard but a set of best practices for enterprises looking to boost Web app security. Here's how to get ...continue reading
A data breach notification policy is important to have, but deciding how to alert customers can be tough. Expert Mike Chapple explains some best ...continue reading
Tokenization technology can be confusing. Expert Mike Chapple explains what the difference is between two types of tokens and how tokenization can ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.