The mere mention of an “audit” is enough to make anyone nervous. But, put in proper perspective, an audit of IT operational policies and procedures is an effective means of assessing the viability of IT services and functions. An audit will serve its intended purpose if two primary objectives are reached: 1. Audit goals are clearly defined in advance, stating the purpose of the audit and the expected results. 2. Audit results are applied to improve the quality and integrity of technology operations, and related services. Step-by-Step to an IT Audit:
Step One: Set Goals and Objectives The first step in planning an IT audit is to create a clear statement of goals and objectives, defining the purpose of the audit, expected benefits and desired results. When preparing your audit statement, the following questions should be addressed: • Who is conducting the audit? Within larger corporate environments, IT audits may be conducted by a separate audit department, or in other cases, IT may use a formal audit process as a means of self-evaluation. • Why is the audit being conducted?
In the event that IT policies and procedures are well established, IT audits will most likely serve a validation function, to ensure operational compliance. However, in the event that IT policies and procedures are not well-defined, audits can serve an analytical purpose, to assess IT operations. Furthermore, an audit can be a helpful investigative tool applied after a major systems failure, to uncover problems and develop operational remedies. • What is the audit scope? A specification of scope will determine the subject of the audit process, typically stating the systems and procedures to be reviewed.
Audits can include any or all IT systems and services, including physical equipment, systems management procedures, outsourced functions and support services. • What are the audit goals and objectives? The specification of audit goals and objectives should define the purpose and benefit of the audit. As discussed, audits may be designed to measure compliance, to find variances, and to look for improvements. Audits should not be used to assign blame or as the sole measure of IT “performance”. Audits are tools, and should be used to gather and report information.
Step Two: Define Audit Specifics Audit specifics will further refine your audit scope, defining the exact “subjects” of the audit process. Audit specifics will vary based on the structure and charter of your IT organization, the systems in place, available time, and your audit goals and capabilities. In most cases, a comprehensive IT audit will include a review of the following: • Physical Security: to ensure that appropriate physical controls are in place to secure technology assets (servers, networking and telecommunications equipment) preventing unauthorized access. Logical Security: to ensure that appropriate software security controls are in place to prevent viruses and unauthorized data access.
• Logistical and Environmental Controls: to ensure that systems, networking and telecommunications equipment are housed in facilities designed to offer proper environmental conditions (regarding temperature and dust regulation, furniture, racks and physical equipment organization). • Configuration Management: to ensure that systems are installed and configured according to established requirements and standards. Systems Administration Procedures: to ensure that security and systems administrative procedures are properly defined and assigned to staff. • Hardware Inventory Management: to ensure that all hardware is properly inventoried and that warranty and maintenance records are maintained. • Software Licensing Compliance: to ensure that all software usage is in compliance with licensing agreements, and that appropriate licensing records are maintained.
• Data Backup and Disaster Recovery Procedures: to ensure that data backups are being made and tested on a scheduled basis, sufficient to ecover in the event of a systems failure, data loss, or other disaster. • Documentation: to ensure that all systems, procedures, and policies are properly documented and updated, including the appropriate retention of systems reports, error, help desk, and other related problem logs. • Performance and Capacity Planning: to ensure that all systems are performing according to required levels, considering uptime, systems availability, bandwidth, data storage availability, and the archival of older data files. Change Management: to ensure that all major changes to systems hardware and software are properly documented, tested and verified prior to implementation, with appropriate back-out plans. Step Three: Define the Audit Process Once you have defined your audit goals and objectives, you will need to specify the audit process – i. e. how your audit will be conducted. You will need to create your audit team, and assign roles and responsibilities. Exact audit procedures will vary based upon the systems being audited, and the size and scope of the audit itself.
In most cases, IT audit procedures can include any or all of the following: • Hands-on, on-site, technical reviews (using automated tools or manual procedures). • Procedures testing and validation. • On site premises inspections • Interviews with IT staff. • Physical reviews of technical documentation, logs and systems reports. • Interviews with end-users. Step Four: Conduct the Audit Audits should not be surprise attacks … they should be scheduled events. It is very difficult fake IT compliance, and very little can be gained from unscheduled audits.
If a pending audit causes IT staff to clean up minor errors and omissions, then the goal of the audit has been largely reached … to ensure compliance. For an audit to be truly effective, communication and cooperation is essential, and that can only be obtained through a non-threatening process of review and evaluation. • Schedule the audit with IT managers and any essential staff. • Request any special security requirements in advance (ids, passwords). • Identify any required documentation, logs and records. Schedule time for an informal review of preliminary results. Step Five: Applying Audit Results Before you begin your audit, you should set clear expectations for the use and application of audit results. Since “blame” should not be the goal of any audit, audit results should be clearly and openly communicated. While all results may not be positive, at the end of the process, there should be a clear direction for improvement. If audit results show a lack of compliance, the reasons must be evaluated …. erhaps IT has not been properly funded, or policies are unrealistic and inappropriate, and compliance is impossible. Audit results have to be viewed as a whole, in context of IT funding and staffing capabilities, and potentially reasonable IT practices. And overall, auditing is a means to an end, not a goal in and of itself. The ultimate goal is to ensure that essential systems are reliable and secure, and that technology is used to support and advance key business needs and objectives